On 2/13/14, Jakub Wilk <jw...@debian.org> wrote: > * Jacob Appelbaum <ja...@appelbaum.net>, 2014-02-13, 18:36: >>How many uploaded binaries might include malware? > > *shrug* It's not like it's difficult to hide malicious code in source > packages. >
It is much harder for you to hide source code changes as a third party than binary changes. Many projects have code review processes with people who read each commit and reason about the contents of each code change. Very few public projects have a similar process for reverse engineering binaries or understanding the output of a compiler for releases. Those few projects generally aim for deterministic or reproducible builds - this still has the problem of missing a solid understanding of the output, by the way. > How many configure scripts that we never rebuild from source contains > trojans? There are several serious problems involved in this topic. One expects that we at least have processes for finding malicious configure scripts, as we find buffer overflows in C programs or as we find portability problems in assembler code - no such (Debian) process currently exists for inspecting binaries that are uploaded by developers. Perhaps I'm mistaken? Perhaps there is a project for actively inspecting and reverse engineering binaries that are uploaded by developers? A key problem here is not the badly behaving developer - it is the developer that is compromised and unwittingly becomes party to harming others. Minimizing this exposure is an important goal and worth consideration. All the best, Jacob -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAFggDF1XXuGoK_DR2LpGTDQX9NNPtou8F2JOJY=qj7ob7dk...@mail.gmail.com
