On Thu, Aug 22, 2013 at 06:11:35PM -0400, Paul Henning wrote:
> Nope, not gonna do that. He can come right out and deny it himself, so it's
> on record. He's had weeks to do it and except for one personal reply has
> been tight lipped about it. Furthermore, I'm curious how that sabotage got
> by f
Nope, not gonna do that. He can come right out and deny it himself, so it's
on record. He's had weeks to do it and except for one personal reply has
been tight lipped about it. Furthermore, I'm curious how that sabotage got
by for 2+ years (thanks for correcting me Kurt) before it was discovered?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Probably parts of the answer lie in deterministic builds, see below.
hth.
best,
kloschi
- Original Message
Subject: [liberationtech] Deterministic Builds Part One: Cyberwar and
Global Compromise
Date: Thu, 22 Aug 2013 10:39:56 +00
Timo Juhani Lindfors:
> adrelanos writes:
>> Some Debian maintainers are working on deterministic builds, although
>> they call it reproducible builds, that's great! Link:
>> https://wiki.debian.org/ReproducibleBuilds
>
> Terminology is hard :) As mentioned in the bof we can make sure that the
>
On 2013-08-05 22:07, Paul Henning wrote:
he was
either threatened or paid - probably the latter - to cripple the
entropy on by the NSA, and they've had a war on randomness for a long
time now.
That is an extremely serious accusation and one that you haven't backed
up at all. If you hold some e
adrelanos writes:
> Some Debian maintainers are working on deterministic builds, although
> they call it reproducible builds, that's great! Link:
> https://wiki.debian.org/ReproducibleBuilds
Terminology is hard :) As mentioned in the bof we can make sure that the
build is deterministic or we can
Just wanted to share news on this topic.
Why are deterministic builds important? Mike Perry from The Tor Project
wrote a blog post:
https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
Some Debian maintainers are working on deterministic builds, although
t
On Wed, Aug 07, 2013 at 05:26:24PM +0100, Daniel Sousa wrote:
I think most of you are foccusing in servers running Debian, but when I asked
the question I was thinking about personal computers.
For example, if there are any vulnerabilities on ssh, they won't be able to get
into my computer anyway
On Mon, Aug 5, 2013 at 9:17 AM, intrigeri wrote:
> I need a reality check, as it's unclear to me what are the goals of
> this discussion.
I don't think there are any goals. I asked it just to understand if it
would be possible to do what I was thinking (apparently, it is) and the
discussion con
Hi Paul,
On Montag, 5. August 2013, Paul Henning wrote:
> Yes, kick Kurt Roeckx from his admin privileges to start. It's the easiest
> most basic thing you can do. [more FUD deleted]
are you paid by some three or four letter agency to spread FUD?
cheers & sorry, I couldnt resist,
Holger
On Sat, 3 Aug 2013 10:48:52 +0200
Paul Wise wrote:
> On Sat, Aug 3, 2013 at 10:14 AM, Daniel Sousa wrote:
>
> > I was reading this [1] article and it brought a question do my
> > mind: How hard would it be for the FBI or the NSA or the CIA to
> > have a couple of agents infiltrated as package ma
On Mon, Aug 05, 2013 at 09:11:21PM +0100, Joe wrote:
I don't think there is a goal, I think we are all ruefully conceding
that the much-vaunted Open Source process is simply unable to deliver
trustworthy code, since the process of compiling the Open Sources
to binary involves using utterly un-aud
Quoting Paul Henning (vxbin...@gmail.com):
> Yes, kick Kurt Roeckx from his admin privileges to start. It's the easiest
> most basic thing you can do. Zero tolerance for crippling software like he
> did and it should go for everyone, lest you want another scandal. He still
> maintains the critical
On 05/08/13 18:17, intrigeri wrote:
> Hi,
>
> I need a reality check, as it's unclear to me what are the goals of
> this discussion.
>
> Does anyone involved plan to work on improving things, and then we're
> discussing where it would be best to focus their energy? If that's the
> case, then I su
On Mon, Aug 05, 2013 at 05:07:20PM -0400, Paul Henning wrote:
>
> Yes, kick Kurt Roeckx from his admin privileges to start. [...]
> And not just for OpenSSL, he
> contributes to ntp as well.
You forget that I also have access to all the buildds.
Kurt
--
To UNSUBSCRIBE, email to debian-secur
intrigeri wrote:
>Does anyone involved plan to work on improving things, and then we're
discussing where it would be best to focus their energy?
Yes, kick Kurt Roeckx from his admin privileges to start. It's the easiest
most basic thing you can do. Zero tolerance for crippling software like he
di
On Mon, 05 Aug 2013 10:17:05 +0200
intrigeri wrote:
> Hi,
>
> I need a reality check, as it's unclear to me what are the goals of
> this discussion.
>
> Does anyone involved plan to work on improving things, and then we're
> discussing where it would be best to focus their energy? If that's the
Hi,
I need a reality check, as it's unclear to me what are the goals of
this discussion.
Does anyone involved plan to work on improving things, and then we're
discussing where it would be best to focus their energy? If that's the
case, then I suggest we try to design solutions with baby steps tha
Daniel Sousa:
> On Sun, Aug 4, 2013 at 2:55 PM, Michael Stone wrote:
>
>> On Sun, Aug 04, 2013 at 10:12:40AM +0200, Heimo Stranner wrote:
>>
>>> I think the real issue is about if the malicious patch is not part of
>>> the source package
>>>
>>
>> Why? It certainly makes your argument simpler if
Michael Stone:
> On Sun, Aug 04, 2013 at 10:12:40AM +0200, Heimo Stranner wrote:
>> I think the real issue is about if the malicious patch is not part of
>> the source package
>
> Why? It certainly makes your argument simpler if you arbitrarily
> restrict the problem set, but it isn't obvious that
On Sun, Aug 04, 2013 at 05:13:51PM +0100, Daniel Sousa wrote:
First of all, they could apply that change (calling it a patch was not one of
my greatest ideas) for every update they do, it's not necesserily a one time
thing. It's also much easier (and probably much dangerous) to write some code
th
On Sun, Aug 4, 2013 at 2:55 PM, Michael Stone wrote:
> On Sun, Aug 04, 2013 at 10:12:40AM +0200, Heimo Stranner wrote:
>
>> I think the real issue is about if the malicious patch is not part of
>> the source package
>>
>
> Why? It certainly makes your argument simpler if you arbitrarily restrict
On Sun, Aug 04, 2013 at 10:12:40AM +0200, Heimo Stranner wrote:
I think the real issue is about if the malicious patch is not part of
the source package
Why? It certainly makes your argument simpler if you arbitrarily
restrict the problem set, but it isn't obvious that it makes sense. If I
wa
On Sun, Aug 04, 2013 at 02:25:03PM +0200, Jann Horn wrote:
> On Sun, Aug 04, 2013 at 10:51:08AM +0200, Volker Birk wrote:
> > Now I'm surprised ;-) I think, this is not a matter of security of
> > checksums here. Of course, only a digital signature will do, or at least
> > a MAC.
> Huh, what? Aren'
I am really sorry if you think it's rude to start a topic here without
subscribing. I thought that it was acceptable, since a lot of people do it
in debian-users (I know it has a lot more volume than this one) and it's
the default action when you click on "Reply to All" in most clients (well,
proba
On Sun, Aug 04, 2013 at 10:51:08AM +0200, Volker Birk wrote:
> Now I'm surprised ;-) I think, this is not a matter of security of
> checksums here. Of course, only a digital signature will do, or at least
> a MAC.
Huh, what? Aren't MACs always symmetric? How do MACs fit in here?
signature.asc
De
Volker Birk:
> On Sun, Aug 04, 2013 at 03:04:33AM +, adrelanos wrote:
>> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
>>> There will be the correct checksum, if the maintainer of the package
>>> does it.
>> Why?
>
> How and by whom are checksums defined?
Please hav
Heimo Stranner:
> On 2013-08-04 09:50, intrigeri wrote:
>> Hi,
>>
>> adrelanos wrote (04 Aug 2013 03:04:33 GMT) :
>>> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
> Volker Birk:
>> On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
>>> That should hel
intrigeri:
> Hi,
>
> adrelanos wrote (04 Aug 2013 03:04:33 GMT) :
>> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
Volker Birk:
> On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
>> That should help to defeat any kind of sophisticated backdoor on b
On 08/04/2013 11:51 AM, Volker Birk wrote:
> To make that clear: I don't think this is a matter of security of
> the procedure what we're discussing. It is a matter of trusting
> the involved people.
>
> Yours, VB.
Exactly, problem is similar as trusted certificate authors were for
ssl certific
On 2013-08-04 09:50, intrigeri wrote:
> Hi,
>
> adrelanos wrote (04 Aug 2013 03:04:33 GMT) :
>> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
Volker Birk:
> On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
>> That should help to defeat any kind of s
On Sun, Aug 04, 2013 at 03:04:33AM +, adrelanos wrote:
> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
> > There will be the correct checksum, if the maintainer of the package
> > does it.
> Why?
How and by whom are checksums defined?
> > And if you're taking the bu
Hi,
adrelanos wrote (04 Aug 2013 03:04:33 GMT) :
> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
>>> Volker Birk:
On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
> That should help to defeat any kind of sophisticated backdoor on build
> machines.
Robert Tomsick:
> On 08/03/13 13:36, Rick Moen wrote:
>> Quoting Volker Birk (v...@pibit.ch):
>>
>>> Really?
>>>
>>> How do you detect, if maintainer's patches contain backdoors? If I would
>>> want to attack Debian, I would try to become the maintainer of one of
>>> the most harmless, most used pa
Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
>> Volker Birk:
>>> On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
That should help to defeat any kind of sophisticated backdoor on build
machines.
>>> Really?
>>> How do you detect, if maintainer's patch
On Saturday 03 Aug 2013 20:33:03 Robert Tomsick wrote:
> On 08/03/13 13:36, Rick Moen wrote:
[...]
> > Indeed, this whole line of query (from someone who cannot even bother to
> > read debian-legal and wants to be CCed; no thanks) is basically pretty
> > dumb
[...]
>
> I'm not sure that hostility
On Sat, 03 Aug 2013, Volker Birk wrote:
> On Sat, Aug 03, 2013 at 08:46:53PM +1000, Aníbal Monsalve Salazar wrote:
> > On Sat, Aug 03, 2013 at 12:17:06PM +0200, Volker Birk wrote:
> > > Not to mention the build tool chains.
> > It reminds me of Ken Thompson's article Reflections on Trusting Trust.
On 08/03/13 13:36, Rick Moen wrote:
> Quoting Volker Birk (v...@pibit.ch):
>
>> Really?
>>
>> How do you detect, if maintainer's patches contain backdoors? If I would
>> want to attack Debian, I would try to become the maintainer of one of
>> the most harmless, most used packages. And believe me,
Quoting Volker Birk (v...@pibit.ch):
> Really?
>
> How do you detect, if maintainer's patches contain backdoors? If I would
> want to attack Debian, I would try to become the maintainer of one of
> the most harmless, most used packages. And believe me, you wouldn't see
> at the first glance, that
On Sat, Aug 03, 2013 at 08:46:53PM +1000, Aníbal Monsalve Salazar wrote:
> On Sat, Aug 03, 2013 at 12:17:06PM +0200, Volker Birk wrote:
> > Not to mention the build tool chains.
> It reminds me of Ken Thompson's article Reflections on Trusting Trust.
Yes, that's what I'm alluding to. For attacking
On Sat, Aug 03, 2013 at 10:38:34AM +, adrelanos wrote:
> Volker Birk:
> > On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
> >> That should help to defeat any kind of sophisticated backdoor on build
> >> machines.
> > Really?
> > How do you detect, if maintainer's patches contain back
On Sat, Aug 03, 2013 at 12:17:06PM +0200, Volker Birk wrote:
> Not to mention the build tool chains.
It reminds me of Ken Thompson's article Reflections on Trusting Trust.
In which he explains how to train the C compiler.
http://cm.bell-labs.com/who/ken/trust.html
"The moral is obvious. You ca
Volker Birk:
> On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
>> That should help to defeat any kind of sophisticated backdoor on build
>> machines.
>
> Really?
>
> How do you detect, if maintainer's patches contain backdoors?
Someone else builds the same package (binary) and detects
On Sat, Aug 03, 2013 at 09:16:40AM +, adrelanos wrote:
> That should help to defeat any kind of sophisticated backdoor on build
> machines.
Really?
How do you detect, if maintainer's patches contain backdoors? If I would
want to attack Debian, I would try to become the maintainer of one of
th
I think deterministic builds would be the best answer to ensure in long
term being free of backdoors.
A deterministic build process to allows multiple builders to create
identical binaries. This allows multiple parties to sign the resulting
binaries, guaranteeing that the binaries and tool chain w
On Sat, Aug 3, 2013 at 10:14 AM, Daniel Sousa wrote:
> I was reading this [1] article and it brought a question do my mind: How
> hard would it be for the FBI or the NSA or the CIA to have a couple of
> agents infiltrated as package mantainers and seeding compromised packages to
> the official rep
I was reading this [1] article and it brought a question do my mind: How
hard would it be for the FBI or the NSA or the CIA to have a couple of
agents infiltrated as package mantainers and seeding compromised packages
to the official repositories?
Could they submit an uncompromised source and keep
47 matches
Mail list logo
