Robert Tomsick:
> On 08/03/13 13:36, Rick Moen wrote:
>> Quoting Volker Birk (v...@pibit.ch):
>>
>>> Really?
>>>
>>> How do you detect, if maintainer's patches contain backdoors? If I would
>>> want to attack Debian, I would try to become the maintainer of one of
>>> the most harmless, most used pa
Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
>> Volker Birk:
>>> On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
That should help to defeat any kind of sophisticated backdoor on build
machines.
>>> Really?
>>> How do you detect, if maintainer's patch
On Saturday 03 Aug 2013 20:33:03 Robert Tomsick wrote:
> On 08/03/13 13:36, Rick Moen wrote:
[...]
> > Indeed, this whole line of query (from someone who cannot even bother to
> > read debian-legal and wants to be CCed; no thanks) is basically pretty
> > dumb
[...]
>
> I'm not sure that hostility
On Sat, 03 Aug 2013, Volker Birk wrote:
> On Sat, Aug 03, 2013 at 08:46:53PM +1000, Aníbal Monsalve Salazar wrote:
> > On Sat, Aug 03, 2013 at 12:17:06PM +0200, Volker Birk wrote:
> > > Not to mention the build tool chains.
> > It reminds me of Ken Thompson's article Reflections on Trusting Trust.
On 08/03/13 13:36, Rick Moen wrote:
> Quoting Volker Birk (v...@pibit.ch):
>
>> Really?
>>
>> How do you detect, if maintainer's patches contain backdoors? If I would
>> want to attack Debian, I would try to become the maintainer of one of
>> the most harmless, most used packages. And believe me,
Quoting Volker Birk (v...@pibit.ch):
> Really?
>
> How do you detect, if maintainer's patches contain backdoors? If I would
> want to attack Debian, I would try to become the maintainer of one of
> the most harmless, most used packages. And believe me, you wouldn't see
> at the first glance, that
On Sat, Aug 03, 2013 at 08:46:53PM +1000, Aníbal Monsalve Salazar wrote:
> On Sat, Aug 03, 2013 at 12:17:06PM +0200, Volker Birk wrote:
> > Not to mention the build tool chains.
> It reminds me of Ken Thompson's article Reflections on Trusting Trust.
Yes, that's what I'm alluding to. For attacking
On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
> Volker Birk:
> > On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
> >> That should help to defeat any kind of sophisticated backdoor on build
> >> machines.
> > Really?
> > How do you detect, if maintainer's patches contain back
On Sat, Aug 03, 2013 at 12:17:06PM +0200, Volker Birk wrote:
> Not to mention the build tool chains.
It reminds me of Ken Thompson's article Reflections on Trusting Trust.
In which he explains how to train the C compiler.
http://cm.bell-labs.com/who/ken/trust.html
"The moral is obvious. You ca
Volker Birk:
> On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
>> That should help to defeat any kind of sophisticated backdoor on build
>> machines.
>
> Really?
>
> How do you detect, if maintainer's patches contain backdoors?
Someone else builds the same package (binary) and detects
On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
> That should help to defeat any kind of sophisticated backdoor on build
> machines.
Really?
How do you detect, if maintainer's patches contain backdoors? If I would
want to attack Debian, I would try to become the maintainer of one of
th
I think deterministic builds would be the best answer to ensure in long
term being free of backdoors.
A deterministic build process to allows multiple builders to create
identical binaries. This allows multiple parties to sign the resulting
binaries, guaranteeing that the binaries and tool chain w
On Sat, Aug 3, 2013 at 10:14 AM, Daniel Sousa wrote:
> I was reading this [1] article and it brought a question do my mind: How
> hard would it be for the FBI or the NSA or the CIA to have a couple of
> agents infiltrated as package mantainers and seeding compromised packages to
> the official rep
I was reading this [1] article and it brought a question do my mind: How
hard would it be for the FBI or the NSA or the CIA to have a couple of
agents infiltrated as package mantainers and seeding compromised packages
to the official repositories?
Could they submit an uncompromised source and keep
14 matches
Mail list logo
