Bdale Garbee <bd...@gag.com> writes: > In my own config, which uses cowbuilder to provide the clean chroot > build environment, the process I use creates a source package in the > cloned repo in my normal filesystem, then hands that source package into > the clean chroot build environment where it is used to build binary > packages. I test those packages in various ways, and if I like the test > results, I sign and upload the source package. In that way, I'm at > least testing the source package I create even if I'm not carefully > inspecting it?
Right, this is similar to what I do. To make the point explicitly, even though I *think* it's probably obvious to everyone reading, building binary packages locally and testing them will only catch malicious code injection in the source package if the attacker made a mistake. An attacker who is already sneaky enough to be targeting Debian source packages is quite likely to take conceptually similar precautions as the attacker in the xz-utils case took to avoid that code being detected by the uploader before upload (activating the malicious code only when built on a buildd, for instance). You will catch *some* sloppy attackers this way, to be sure, just like every step that a human takes before upload is going to catch some attacks because the attacker will have missed something and there will be some weird output or weird behavior that makes the uploader stop and go hmm. But a good attacker knows this and will try to avoid detection at that stage. And an attacker can test their attack strategy beforehand: they have a copy of your package and can try various code injection techniques and see which ones are the most likely to avoid your notice. This is a human psychology problem that's very common in the security world. Serious, sneaky attacks like this are rare. Most people will never be a target of one. Buggy source packages are very common and happen routinely. Therefore, the uploader is going to test for the thing that happens a lot, and is not going to effectively test for the thing that happens approximately never. The attacker knows all of this, and will choose their attack strategy accordingly. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
