On Sat, 2017-12-02 at 12:15 +0100, Davide Prina wrote: > If I don't mistake the automatic package build system don't require > that the source signature is verified correctly. [...] > So it don't have the public key (?) and so it don't check the > package signature. But the package is build successfully... and > signed. > > If an attacker change the source and package it with a wrong private > key, it can have his "patch" applied to the signed binary packages?
The packages that the buildds are building come from the Debian archives, where the software that accepts uploads verifies the signatures on the uploads. The metadata for the upload queues is also GPG-signed by the archive software. So, no, in practice it's not feasible for the attacker to inject packages outside of the trust structure without already having compromised some other part of the infrastructure. Regards, Adam
