Re: make-pgp-clean-room suggestions / patches

To: debian-security@lists.debian.org
Cc: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>
Subject: Re: make-pgp-clean-room suggestions / patches
From: Russell Coker <russell@coker.com.au>
Date: Sun, 05 Nov 2017 11:03:58 +1100
Message-id: <[🔎] 11466486.XyiSTmAKFy@xev>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] e15e3a3b-8be5-2602-f890-8738b2daf249@zoho.com>
References: <1c0a1915-bea0-0842-1577-bd1369148042@zoho.com> <[🔎] e15e3a3b-8be5-2602-f890-8738b2daf249@zoho.com>

On Saturday, 4 November 2017 7:36:02 PM AEDT Rebecca N. Palmer wrote:
> Background: my sponsor suggested that I apply for DM over a year ago,
> and the reason I haven't done so is that I'm not sure my security is up
> to it, given that anyone who hacks a DM can upload a Trojan.  I only own
> one computer [0] (meaning it gets used for everything from contributing
> to casual web browsing and reading often-spam email) and my skills are
> at the maths-not-sysadmin end of programming.  I have recently been
> reading up on security with intent to resolve this.

Don't worry too much about this.  There are lots of DDs who have given me 
cause to doubt their ability to secure their own systems.  But they are still 
much better than the people I've worked with on proprietary software projects.

While someone could hack a DM or DD and upload a trojan, if they trojaned 
someone else's package (EG something popular like libc) then it would be 
noticed very quickly.  If they trojaned a package maintained by the person 
they hacked then it would give the same result as if upstream had trojaned the 
package (which has happened to Debian but without particularly nasty results).

> Given the very security-sensitive nature of this project, can you point
> me to (or create) some proof that the person behind it is Pocock-the-DD?
>   If such already exists, I can't find it: neither the announcement
> messages [2] nor the commits are signed, there isn't a Debian package,
> and Alioth doesn't show the userid (the one where lack of -guest = DD)
> of commits anywhere I can find.

The best thing to do is attend some FOSS meetups and get your GPG key 
reasonably well connected in the web of trust.  Then you can establish a chain 
of trust from your key to the keys of people you want to communicate with.

https://pgp.cs.uu.nl/stats/d141cd30fc4b8f79.html

Above is one site that can find chains of trust.

If you are worried about doing everything on one PC (which most DDs don't 
worry about) then is getting a second PC an option?  If you were local to me 
(your timezone suggests that you aren't) then I'd be happy to give you an i3 
or i5 class system with 8G of RAM.  It's amazing what companies throw out 
nowadays.  I'm currently using an i7 system that came from a rubbish pile.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Reply to:

References:
- make-pgp-clean-room suggestions / patches
  - From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>

Prev by Date: make-pgp-clean-room suggestions / patches
Next by Date: Re: Security support for chromium in jessie
Previous by thread: make-pgp-clean-room suggestions / patches
Next by thread: Re: Security support for chromium in jessie
Index(es):
- Date
- Thread