intrigeri: > Hi, > > adrelanos wrote (04 Aug 2013 03:04:33 GMT) : >> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +0000, adrelanos wrote: >>>> Volker Birk: >>>>> On Sat, Aug 03, 2013 at 09:16:40AM +0000, adrelanos wrote: >>>>>> That should help to defeat any kind of sophisticated backdoor on build >>>>>> machines. >>>>> Really? >>>>> How do you detect, if maintainer's patches contain backdoors? >>>> Someone else builds the same package (binary) and detects a different >>>> checksum. - That required deterministic builds. >>> >>> There will be the correct checksum, if the maintainer of the package >>> does it. > >> Why? > >>> So no way to detect that with deterministic builds. > >> Why not? > > I believe you have missed something around "if maintainer's patches > contain backdoors". Maintainer's patches are part of the source > package, and applied to the source before the binary package is built. > As you can see, it's obvious checksums and deterministic builds don't > help in such a case.
Sure, if you refer to the trusting trust issue, this deterministic builds don't tackle this. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
