On 17/04/2022 19:26, Satvik Sinha wrote:
> abusing your OS's reputation?
i believe the answer is in the question. debian is based on distributed trust.
i did the analysis (took 3 weeks): it is literally the only distro in the world
with an inviolate chain of trust from a large keyring dating back 20 years that
is itself GPG-signed as a package, with a package distribution chain from
source where all components within the chain up to release are unbroken and
inviolate.
take ubuntu for example: whilst it has the exact same technology the size of
the developer pool, comprising the web of trust, is both much smaller and also
controlled by one Corporation: Canonical. Canonical says "jump", the developers
ask "how high".
take Suse, Fedora etc: their RPM packages break the chain of trust by failing
to properly include a GPG Signature of the Release (i do not recall the exact
details, i did the analysis 4 years ago)
take Archlinux: their community is vulnerable to unverified github repositories
being abandoned, a hacker re-registering them, and a trojan uploaded and
distributed automatically.
i won't even bother going into the absolute moronic practice of "trusting"
HTTPS: node, pypi, etc should be blindingly obviously untrustworthy, with the
website being a prime hacking target if nothing else.
even GNU packages are hopelessly inadequately secure as far as social
engineering and hacking are concerned.
debian is not a single centralised repository, it is controlled by no-one. you
have to compromise hundreds of independent developers before you make any
headway, and as a result it was trusted by e.g. the Venezuelan Government as
the basis for their own distro, many years ago.
there is not even a centralised dependency on a website: packages may be
securely distributed by Carrier Pigeon or printed out on paper and OCR scanned
if you really want to because there is a full GPG Chain and Checksums, right
back to the source code.
and that (GPG Chains) basically, is the key. anyone stupid enough to do
something stupid is going to be throwing away their reputation, not just within
the debian project as a maintainer, but for life.
you abuse your position as a maintainer by putting in trojan code, because that
trojan package had to be GPG Signed, you have to make a *public and
irreversible declaration* which will remain in historical archives for the rest
of your life and beyond.
this would result in catastrophic consequences for not just their involvement
in debian (which would be terminated with prejudice), but because their GPG
Signature on the trojan package is public, inviolate and irrevocable, it would
also have catastrophic consequences for their career in IT because nobody would
ever trust them in a position of responsibility, ever again. they'd be flipping
burgers for the rest of their life.
fundamentally, then, you are assuming that there is "one controller of debian",
which is false. there are literally hundreds of *independent* developers, all
of whom know their responsibility, all of whom know that they have all other
independent developers keeping an eye on them.
this makes debian pretty much the only distro that could be trusted to remain
true to humanity and to its principles and its charter. even when some of them
(you know who you are) are when it comes down to it not very nice people, they
can at least be trusted to do the right thing.
l.
