Le mardi, 25 juin 2024, 22.13:53 h CEST Philip Hands a écrit :
> Aigars Mahinovs <aigar...@gmail.com> writes:
> > Do you actually check that the contents of the source *package* (after all
> > operations done by dpkg-source and possibly other tools) actually match
> > what you were looking at before in your source work tree folder?
>
> Until this thread, the idea that doing so might be prudent had not even
> occured to me TBH.
>
> Now that it has, it also occurs to me that if I actually were subject to
> an attack that was attempting to sneak something in at this point, my
> system might well have been tampered with to render it unable to detect
> the change (by replacing diff with a version blind to the changes etc.)
Following on the red team idea from Russ; if dpkg-source added a "# report a
bug to dpkg-source if you see me" comment in debian/rules at build time
(hidden in the .debian.tar, but not present in the local directory), I would
not be surprised if this was only detected by casual readers of
sources.debian.org, or NMUers, but not by any uploaders. And I'd bet that this
would span several hundreds of uploads before being detected (and of course,
this would affect tag2upload similarly).
But if this is done not as an attack on the dpkg-source package, but just as a
local compromise of $PATH on a DD's laptop, who would detect it? I certainly
wouldn't have.
--
OdyX
