Heimo Stranner: > On 2013-08-04 09:50, intrigeri wrote: >> Hi, >> >> adrelanos wrote (04 Aug 2013 03:04:33 GMT) : >>> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +0000, adrelanos wrote: >>>>> Volker Birk: >>>>>> On Sat, Aug 03, 2013 at 09:16:40AM +0000, adrelanos wrote: >>>>>>> That should help to defeat any kind of sophisticated backdoor on build >>>>>>> machines. >>>>>> Really? >>>>>> How do you detect, if maintainer's patches contain backdoors? >>>>> Someone else builds the same package (binary) and detects a different >>>>> checksum. - That required deterministic builds. >>>> There will be the correct checksum, if the maintainer of the package >>>> does it. >>> Why? >>>> So no way to detect that with deterministic builds. >>> Why not? >> I believe you have missed something around "if maintainer's patches >> contain backdoors". Maintainer's patches are part of the source >> package, and applied to the source before the binary package is built. >> As you can see, it's obvious checksums and deterministic builds don't >> help in such a case. >> >> Cheers, > > I think the real issue is about if the malicious patch is not part of > the source package. Then nobody could find that patch by reading the > source code.
Patches no in the source package is what deterministic builds could detect. I think he refers to patches that look good, but contain sophisticated internally added vulnerabilities (trusting trust). -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51fe3aa1.4020...@riseup.net
