martin f krafft <[EMAIL PROTECTED]> writes: > And yes, I still think there's a difference between the two scnearios: a > clean source, 11 clean binaries, but one trojaned one against an unclean > source and 12 unclean binaries. As someone else said, post-mortem it'll > be *much* easier to deal with the latter.
I've thought about this for a while now (you mentioned it earlier as well) and I can't see why the latter would be easier to deal with. I'm curious what difference you're seeing. Either way, you still have to verify that the source is now clean; there's no reason to assume, once a trojan is discovered, that there was only *one* trojan, and source trojans can be written to only manifest on one particular platform. Certainly, binaries are essentially impossible to audit, so as soon as you want the security of an audit, you have to start with source. But blocking upload of binaries doesn't help with that process at all. It only would if the ftpmasters or buildd admins were then going to audit the source, which of course they're not and couldn't given the millions of lines of source in Debian. I can construct several artificial scenarios where source-only uploads would lead to better security (such as postulating the existence of roving source code auditors who look at all the Debian source packages), but none of them describe Debian today or seem particularly likely to describe a future Debian. The reason why people get uncomfortable around this area of Debian's security is because they *should* be; what they may miss is that the same issues apply to *all* software, and they should be equally nervous about any software they download off the net, in any form. The largest mitigation of the risk is that most software comes with chains of trust, breaks in those chains of trust usually have other symptoms and are discovered through other methods, and as soon as someone finds a problem the word spreads fairly fast. It would surprise me a great deal if SuSE were any better at auditing the code they incorporate into their distribution than Debian is. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
