Re: Protections against a mad maintainer?
Jonathan, writing from vega.netg.se: > Believe me, if you want to make sure that an upload from you is > untracable... It can be done .. Untraceable is a matter of degree. Forging someone's pgp signature is about as difficult as breaking into a commercial software publisher's office and replacing the master-copies of software there. Sure, it can be done, but this possibility doesn't favor one distribution channel over another. Also, "untraceable" has a strong element of risk -- you're going to have a presence somewhere, but does anyone care enough to want to investigate that presence? If someone cares, then maybe you find out you're not as untraceable as you'd thought. -- Raul
Re: Protections against a mad maintainer?
Hi Sue, I read with intrest your posting, you do make valid points with refrence to the trade off's ... That is assuming the person involved is rational. Believe me, if you want to make sure that an upload from you is untracable... It can be done .. and finally, it is a simple matter to delay the phenomenon so that it occurs at a certain day of after a finite number of executions, 666 for example.. It is a frightening thought,... Regards Jonathan >Hi Jean -- > >There are (at least) 3 counterarguments to the concern that Debian >maintainers could maliciously add dangerous commands to their ?{pre,post}{inst,rm} scripts: >-- the same package system which is open to many for development is >equally open to many for testing. >-- by having both "stable" and "unstable" releases, Debian distinguishes >between packages which are [likely to have been] tested and those which >are not. >-- as the saying goes, "Never interpret as malicious that which could >also be explained by stupidity." Humans at commercial software firms >are no more protected from their own stupidity than humans who are working >to provide free software, _and_ who are offering the world the opportunity >to scrutinize their source code. > >Another way to pose the question is, what would motivate a developer to >include mailicious software? He could be pretty sure that the offending >code would be found quickly, and he would be identified (via PGP keys) >with the problem. The perpetrator would be immediately banned from >using the system. And all he got for his trouble was to inconvenience one >or a few unknown, randomly selected, victims. Not a very good tradeoff. > >All the same questions being asked of free software should be asked, >of course, of the commercial software... > >HTH, >Susan Kleinmann
Re: Protections against a mad maintainer?
-BEGIN PGP SIGNED MESSAGE- On Wed, 11 Sep 1996, Jim Pick wrote: jim> jim> jim>> jim>> This is a matter of trust. jim>> jim>> If you don't trust binaries, install only a minimal system, read the jim>> source (every line of it), understand it, compile it and install it. jim>> jim> jim>... and keep backups!!! one prob. u'll need to install _some_ bin's ___ Boris Beletsky <[EMAIL PROTECTED]> For pgp public key, e-mail me with subject "get pgp-key." ___ In Linux veritas -BEGIN PGP SIGNATURE- Version: 2.6.3ia+ Charset: latin1 Comment: Boris Beletsky <[EMAIL PROTECTED]> iQCVAwUBMjdQoAz8DjY6pgpxAQHZugQAuzrPGQUjk1jTu0MGvQcA2rk95pD48hAM YLU4bsHTckBRIcKC5vmKR+p8ACWeXoafGcwX663OnDNDiO4IgW0Sb85uc6rynTpH 7fiCen+5sf514K60nsseZcTvzzMUHJFqo9Sf6AM5A90kmwuPdmS37G+0MoO5al4L kSNsNZlKnmw= =kmQZ -END PGP SIGNATURE-
Re: Protections against a mad maintainer?
> > This is a matter of trust. > > If you don't trust binaries, install only a minimal system, read the > source (every line of it), understand it, compile it and install it. > ... and keep backups!!! - Jim
Re: Protections against a mad maintainer?
From: Jean Orloff <[EMAIL PROTECTED]> > It just occured to me that any evil intentioned or mad maintainer could add > rm -rf / > or anything of this sort in a postinst script. > > I just would like to know what kind of protection debian could offer against > such an unpleasant event. I am sure Bruce cannot afford to be very picky in > the choice of maintainers This is a problem with any software - commercial or otherwise. How do you know that a disgruntled Microsoft employee has not planted a booby-trap in Windows 95? Indeed, several Microsoft products have shipped with viruses. I think this is more of a problem with commercial software, since there is much less scrutiny of the source code and the resulting binary programs than there is with free software. We identify the maintainers, and we provide security on the master system so that non-maintainers will not be uploading packages. We encourage maintainers to PGP-sign uploads, although we can't do it for everyone since some countries (like France) prohibit encryption. If there ever was a problem, we'd be able to trace it back to the cause and a criminal prosecution would be the probable result. We also have a testing program that goes on continuously. Users are on the mailing lists the minute a problem comes up. Thanks Bruce
Re: Protections against a mad maintainer?
On Wed, 11 Sep 1996, J.H.M.Dassen wrote: > > It just occured to me that any evil intentioned or mad maintainer could add > > rm -rf / > > or anything of this sort in a postinst script. > > Yes. Or hide stuff in the binaries. You need root permissions to install > stuff in /bin etc. > > > I just would like to know what kind of protection debian could offer against > > such an unpleasant event. I am sure Bruce cannot afford to be very picky in > > the > > choice of maintainers (there are orphan packages crying for one). > > > > This is the kind of argument against Debian being used at large in my > > institute, the result being that half man pages are missing, even if you > > have > > such a complete manpath as > I would argue that Debian's large and diverse development group provides better protection from this kind of activity than smaller, closed development groups. This gives us a large, diverse group of testers. It is very unusual for a package to move from unstable to stable without someone trying it out. Because of the new pgp signatures, only one person is responsible for the contents of the package. This makes it unlikely that someone smart enough to build a package would not understand their identifiability. This means that the likelyhood of a "nasty" getting out is small, and the identification of the perp is certain. Tell your institute that Debian is better protected from this kind of event than most Linux distributions. Luck, Dwarf -- aka Dale Scheetz Phone: 1 (904) 877-0257 Flexible Software Fax: NONE Black Creek Critters e-mail: [EMAIL PROTECTED] If you don't see what you want, just ask --
Re: Protections against a mad maintainer?
Hi Jean -- There are (at least) 3 counterarguments to the concern that Debian maintainers could maliciously add dangerous commands to their {pre,post}{inst,rm} scripts: -- the same package system which is open to many for development is equally open to many for testing. -- by having both "stable" and "unstable" releases, Debian distinguishes between packages which are [likely to have been] tested and those which are not. -- as the saying goes, "Never interpret as malicious that which could also be explained by stupidity." Humans at commercial software firms are no more protected from their own stupidity than humans who are working to provide free software, _and_ who are offering the world the opportunity to scrutinize their source code. Another way to pose the question is, what would motivate a developer to include mailicious software? He could be pretty sure that the offending code would be found quickly, and he would be identified (via PGP keys) with the problem. The perpetrator would be immediately banned from using the system. And all he got for his trouble was to inconvenience one or a few unknown, randomly selected, victims. Not a very good tradeoff. All the same questions being asked of free software should be asked, of course, of the commercial software... HTH, Susan Kleinmann
Re: Protections against a mad maintainer?
> It just occured to me that any evil intentioned or mad maintainer could add > rm -rf / > or anything of this sort in a postinst script. Yes. Or hide stuff in the binaries. You need root permissions to install stuff in /bin etc. > I just would like to know what kind of protection debian could offer against > such an unpleasant event. I am sure Bruce cannot afford to be very picky in > the > choice of maintainers (there are orphan packages crying for one). > > This is the kind of argument against Debian being used at large in my > institute, the result being that half man pages are missing, even if you have > such a complete manpath as This argument is not limited to Debian. It is as valid for any binaries whatsoever, including those in commercial systems (how do you know that your nice Commercial Unix (or DOS, or...) will not autodestruct on March 4, 1997?) This is a matter of trust. If you don't trust binaries, install only a minimal system, read the source (every line of it), understand it, compile it and install it. At least with free software, you have the source... (as Joey puts it: "never trust an OS you don't have the sources for"). And with Debian, uploads are PGP-signed by their (known) maintainer, so you can at least be reasonably sure from whom they're coming from. If I would want to destroy systems, I'd upload some binaries to sunsite; with "reasonable" precautions, it is very difficult or even impossible to trace them back to me. This kind of subject comes up very often on comp.security.{unix,misc} and likely comp.risks too. Ray -- ART A friend of mine in Tulsa, Okla., when I was about eleven years old. I'd be interested to hear from him. There are so many pseudos around taking his name in vain. - The Hipcrime Vocab by Chad C. Mulligan