On Tue, Sep 25, 2007 at 06:33:40PM -0500, Manoj Srivastava wrote: > On Tue, 25 Sep 2007 23:49:17 +0200, Martin Uecker <[EMAIL PROTECTED]> said: > > > On Mon, Sep 24, 2007 at 06:20:40PM -0500, Manoj Srivastava wrote: > >> On Tue, 25 Sep 2007 00:04:15 +0200, Martin Uecker <[EMAIL PROTECTED]> > >> said: > >> > > >> > It would be enough when just a few people are actually recompiling > >> > the binaries and compare it to the official debian packages. Then > >> > *everbody* could trust that the packages are not modified, because > >> > any modification would be detected immediatley. This is only > >> > possible with bit-identical binaries. > >> > >> Err, what? Why would everyone do that? I mean, you do not trust the > >> Debian distribution system, the archive gpg signatures, the md5sums > >> on the package, etc, and ye5t you are willing to accept mails from > >> other people that things are oK? > > > No. I would trust the binaries if there are *no mails* from other > > Ah, security through blissful ignorance :) You do not actually > trust the archive, or the developers, you trust the silence.
I trust special relativity, because nobody has disproven it yet. Do you think this is blissfull ignorance, too? > > people that things are *not ok*. Because everybody can check that the > > binaries are not compromised, you can actually be quite sure that > > things are ok, as long as nobody complains. And if doubts come up, I > > can check myself. This actually the same principle on wich science is > > build: falsifiability. > > Everyone does that now based on debian archive signatures. You > do not need bit-by-bit verification for that. Again: How does this protect against a compromised build host? > So, one someone lets the cat out of the bag, and we are not so > blissful ,how can we check? > > Simple, you say, compile the source!! But, dear folks, the > person who can compromise the archive, fake out the buildd's, > add the archive signature -- can also hack the source. Is actually quite likely that somebody would notice if Debian distributes trojaned source packages. > > Its exactly the same: Because the source code is open, I would hope > > that somebody would find the backdoor. > > Ah. again, assume security until someone pulls us out of our > ignorance. See above. > So easy to do a denial of service attack by random slander of > binaries and source (thanks, helpful botnet). All security work in the free software community works like this: Somebody finds a flaw, he reports it, it gets fixed. So you say this can be DOSed by reporting a lot of false bug reports with a botnet? > > Compare this to the current system: The trustworthiness of *all* DDs > > wich maintain packages which are installed on my systems, the security > > of *all* computers those DDs store their keys on, the security of the > > build host, the gpg signatures and the md5sums are actually a chain of > > trust where the weakest link determines the total security. > > I kinda find your alternate shceme, based on bit-for-bit > sameness, not to be all that secure, really. It is a feel good thing > with little added secueity. Ironically, I think the current scheme where the binaries are signed by some public key provides a false illusion of security. Have you actually thought about the meaning of this signature? It just means that the signee (and I do not even know who this actually is) believes that this binary was not tampered with. Nothing more. And nobody else has the possibilty to verify this. > However, this is all moot; unless someone does all the work to > make things absolutely bit-for-bit the same, compile after compile, and > manages to convince all the package ownsers to accept the changes, this > is going nowhere. I am not even sure it can be done, technically. You are right: Currently, this is all moot. But I find this discussion very interesting. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
