On Mon, Dec 17, 2001 at 05:19:07PM -0500, Joey Hess wrote: > Anyway, one can put a cvs checkout in the build rule w/o breaking any > autobuilders, if you're really careful. base-config has had this for > ages, without causing any problems:
Sure. But it does open a security risk. If people manage to trick the builder into downloading files from their server instead the real one, and use them for building the package, this can lead to serious problems. In your example, it does 'only' affect a list of mirror (attacker could include his own mirror address). In examples where code is downloaded[1], the binaries could include trojans etc. As the source and build tree is often deleted shortly after building, it would be very hard to even notice such an attack. Sure, the cost for an attacker to do this is high. But it's a weak member of a chain, and would defeat all signatures and other methods we try to apply to make our system secure. In theory, packages should never be built on network connected machines. That this is unrealistic is clear. However, in theory this also would mean that such features as your example provided are never used. :) Thanks, Marcus [1] Such an example existed, some binutils-* package did this. -- `Rhubarb is no Egyptian god.' Debian http://www.debian.org [EMAIL PROTECTED] Marcus Brinkmann GNU http://www.gnu.org [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.marcus-brinkmann.de