Re: fakeroot a solution for multi-architecture building?

To: joost witteveen <joost@rulcmc.leidenuniv.nl>
Cc: debian-devel@lists.debian.org
Subject: Re: fakeroot a solution for multi-architecture building?
From: Christoph Lameter <clameter@waterf.org>
Date: Sat, 27 Sep 1997 09:34:43 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.970927093310.8193A-100000@waterf.org>
In-reply-to: <[🔎] m0xEsnO-000CL6C@rulcmc.leidenuniv.nl>

The packages are only handled by the arch-specific builders AFTER
Guy has got them through his procedure of bringing them into the
distribution for the initial architectures. They are already verified
as authentic. The arch-specific builders could have a special pgp
key to authenticate uploades coming from them like any other developer.


On Sat, 27 Sep 1997, joost witteveen wrote:

>> With fakeroot there is a way to securely build packages without
>> risking some trojan horse in the debian/rules or similar things.
>
>As the author of fakeroot, I really like this idea.
>(And, I would like to say I'm working on your VIRTUAL_ROOT idea,
>altough in a somewhat different form than you suggested. And, it
>may take some time to write it).
>
>But there's one problem I haven't heard anyone report yet:
>
>What about the pgp signatures for the .deb files?
>
>Usually, the maintainer signs the .changes file, and thus vouches
>for the integrity of the .deb archive. But with automated .deb
>creation, just any computer on the "automated build list" can
>insert .deb files that are corrupt.
>
>So, for example, if my computer were on the list of computers
>that can generate i386 archives, and I have samba installed
>(I did, yesterday), any cracker can break into my system with
>that samba bug, and upload .deb's modified to do whatever they
>want[1]. Would it be wise to require that those build-systems
>have a trimmed-down /etc/inetd.conf? Or maybe that they don't
>have many users that could break into the system?
>
>
>
>[1] Yes, I know in principle that's possible now too, a cracker
>    could have broken into my computer, and modified dpkg-deb
>    on my system. But it's not as easy, and it will only work
>    while I'm building .debs (They'd need my private pgp key)
>
>-- 
>joost witteveen, joostje@debian.org
>#!/usr/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
>$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
>lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)
>#what's this? see http://www.dcs.ex.ac.uk/~aba/rsa/
>

--- +++ --- +++ --- +++ --- +++ --- +++ --- +++ --- +++ ---


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Follow-Ups:
- Re: fakeroot a solution for multi-architecture building?
  - From: joost@rulcmc.leidenuniv.nl (joost witteveen)

References:
- Re: fakeroot a solution for multi-architecture building?
  - From: joost@rulcmc.leidenuniv.nl (joost witteveen)

Prev by Date: kbd and UK keyboard / X and fonts.
Next by Date: My latest hamm upgrade killed PPP somehow
Previous by thread: Re: fakeroot a solution for multi-architecture building?
Next by thread: Re: fakeroot a solution for multi-architecture building?
Index(es):
- Date
- Thread