Debian Developers - Re: Building packages with exact binary matches

This is Interesting: Free IT Magazines  
Home > Archive > Debian Developers > September 2007 > Re: Building packages with exact binary matches





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: Building packages with exact binary matches
Manoj Srivastava

2007-09-27, 7:38 am

On Wed, 26 Sep 2007 12:31:51 +0200, Martin Uecker <muecker@gmx.de> said:

> On Wed, Sep 26, 2007 at 12:25:02AM -0500, Manoj Srivastava wrote:

[vbcol=seagreen]
> It is not about hearsay. It is about finding an error in a
> predictation. And I do not care *who* finds the error. Of course the
> predications have actually be checked. So you are right with your
> argument, if nobody actually does this, it would be ignorant to
> believe in a scientifc theory for the sole reason that nobody
> complains. Similar, if nobody recompiles the packages and checks for
> mismatches, then silence would in fact not imply that things are
> ok. But I question your premise: I have no doubt that some people
> would actually recompile packages and compare the hash. Even if it is
> not done normally, somebody would do this if doubts come up for some
> reason (e.g. some debian hosts are compromised again.). This alone
> would actually be worth a lot.

But recompiling from what? If you do not get the exact same
source, you have no hope of getting the same result. And the way
things work, the chances are that if the binary is tainted, the source
would be tainted -- and you have got nowhere.

[vbcol=seagreen]
> If know that the source code wich has hash 4457575757575 compiled in
> the build environment with hash 4837373737 gives a package with hash
> 366336363, then it is actually *evidence* that something is seriously
> wrong if you end up with a package with a different hash.

So, someone replaces the binary compiled on the buildd with a
fake one, in between the binary being built and it being signed? All
the work to get bit-for-bit reproducibility for such a low priority
attack vector?

manoj

--
"VMS is a text-only adventure game. If you win you can use Unix." Bill
Davidsen (davidsen@crdos1.crd.GE.COM)
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com