On 2013-08-04 09:50, intrigeri wrote: > Hi, > > adrelanos wrote (04 Aug 2013 03:04:33 GMT) : >> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +0000, adrelanos wrote: >>>> Volker Birk: >>>>> On Sat, Aug 03, 2013 at 09:16:40AM +0000, adrelanos wrote: >>>>>> That should help to defeat any kind of sophisticated backdoor on build >>>>>> machines. >>>>> Really? >>>>> How do you detect, if maintainer's patches contain backdoors? >>>> Someone else builds the same package (binary) and detects a different >>>> checksum. - That required deterministic builds. >>> There will be the correct checksum, if the maintainer of the package >>> does it. >> Why? >>> So no way to detect that with deterministic builds. >> Why not? > I believe you have missed something around "if maintainer's patches > contain backdoors". Maintainer's patches are part of the source > package, and applied to the source before the binary package is built. > As you can see, it's obvious checksums and deterministic builds don't > help in such a case. > > Cheers,
I think the real issue is about if the malicious patch is not part of the source package. Then nobody could find that patch by reading the source code. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51fe0cf8.9090...@stranner.org
