On 2013-06-20 04:44, Greg wrote: > Does anyone think that debian could participate in any programs like > PRISM? Or could a lone (or group of) sympathetic DD or DM slip a > backdoor or something that could collect private info in the binary > packages distributed by debian?
It all boils down to technical issues: 1. AFAIK when you install any Debian package it simply gets root access to your system. 2. Later, when you use the package, you only have limited control over what it really does. Perhaps SELinux: http://wiki.debian.org/SELinux could help with this, but it is not enabled on my desktop so I am not really sure how well it is supported. I.e. the policy files can sometimes be incomplete, buggy etc. 3. Linux kernel is a monolithic one with ca. 15 million LOC (lines of code). 4. As Richard already mentioned: http://lists.debian.org/debian-user/2013/06/msg00832.html , compilers can be flawed and insert any backdoor. I think the issues we could most easily deal with as a Debian community are 1-2, i.e.: 1. design a new package system with restrictions on what a package can do (a system API perhaps, that a package can use, instead of giving it a root shell) 2. enable SELinux by default (even on a desktop), so that its support matures and, at the same time, Debian installations become a harder target for any surveillance attempts. Ok, one more: 5. Perhaps we could also develop some more systematic ways of code review. Have you ever read that 1997 Epson printer driver code (which is part of your kernel) etc. -- http://people.eisenbits.com/~stf/ http://www.eisenbits.com/ OpenPGP: 80FC 1824 2EA4 9223 A986 DB4E 934E FEA0 F492 A63B -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51c72b1f.3060...@eisenbits.com
