On Sat, 18 Feb 2012, Teus Benschop wrote: > To put things in perspective, I just wonder how strong this 'fortress' > really is, and whether this strength is only in our perception or > whether it is real. Let me give just one example: A developer downloads > a tarball from an upstream source, configures it, and does make install, > yet has not even once checked whether this tarball is secure or is not a > root kit. Teus.
Good packaging developers go to great lengths to be sure they are not going to distribute anything trojaned. This takes a lot of work, and often requires very goot working relationship with upstream to the point of getting upstream to change his processes. This does include tracking deviations from VCS to upstream releases, going over upstream changes when possible, and using crypto properly to verify authenticity of upstream commits and tarballs (when available. When it is not available, educating upstream about it is required). Obviously, sometimes due diligence is not done (some people are quite lazy), and sometimes it is just plain impossible to do. And sometimes the malicious change was done in such way that only a careful audit would find it. So, yes, you really risk it happening. If you want to minimize that chance, Debian stable is your friend as the window of opportunity to discover trojaned sources is much larger in stable than it is in testing and unstable. I'm not sure what the Debian project could do to make sure we're at least doing everything that is humanly possible, *on every package* (we already do it on many packages) to allow for early detection of trojaned upstream releases or trojaned upstream VCS. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120218124650.gc20...@khazad-dum.debian.net
