Groups | Search | Server Info | Login | Register

Re: Summary of the current state of the tag2upload discussion

From	Didier 'OdyX' Raboud <odyx@debian.org>
Newsgroups	linux.debian.vote
Subject	Re: Summary of the current state of the tag2upload discussion
Date	2024-06-26 11:20 +0200
Message-ID	<ITwYN-5HlP-7@gated-at.bofh.it> (permalink)
References	<ITwYN-5HlP-9@gated-at.bofh.it> <IRUVz-4BnQ-1@gated-at.bofh.it> <ITjoR-5yhe-1@gated-at.bofh.it> <ITkNX-5zr0-5@gated-at.bofh.it>
Organization	Debian - The Universal OS

Show all headers | View raw

Le mardi, 25 juin 2024, 22.13:53 h CEST Philip Hands a écrit :
> Aigars Mahinovs <aigarius@gmail.com> writes:
> > Do you actually check that the contents of the source *package* (after all
> > operations done by dpkg-source and possibly other tools) actually match
> > what you were looking at before in your source work tree folder?
> 
> Until this thread, the idea that doing so might be prudent had not even
> occured to me TBH.
> 
> Now that it has, it also occurs to me that if I actually were subject to
> an attack that was attempting to sneak something in at this point, my
> system might well have been tampered with to render it unable to detect
> the change (by replacing diff with a version blind to the changes etc.)

Following on the red team idea from Russ; if dpkg-source added a "# report a 
bug to dpkg-source if you see me" comment in debian/rules at build time 
(hidden in the .debian.tar, but not present in the local directory), I would 
not be surprised if this was only detected by casual readers of 
sources.debian.org, or NMUers, but not by any uploaders. And I'd bet that this 
would span several hundreds of uploads before being detected (and of course, 
this would affect tag2upload similarly).

But if this is done not as an attack on the dpkg-source package, but just as a 
local compromise of $PATH on a DD's laptop, who would detect it? I certainly 
wouldn't have.

-- 
    OdyX

Back to linux.debian.vote | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-22 00:30 +0200
  Re: Summary of the current state of the tag2upload discussion Soren Stoutner <soren@debian.org> - 2024-06-22 07:40 +0200
    Re: Summary of the current state of the tag2upload discussion Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-22 15:50 +0200
  Re: Summary of the current state of the tag2upload discussion Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-22 15:40 +0200
  Re: Summary of the current state of the tag2upload discussion Micha Lenk <micha@debian.org> - 2024-06-22 22:20 +0200
    Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-23 04:50 +0200
      Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-23 10:40 +0200
        Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-23 16:50 +0200
          Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-23 17:30 +0200
            Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-23 17:50 +0200
              Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-23 18:20 +0200
                Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-23 20:00 +0200
                Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-23 20:50 +0200
                Re: Summary of the current state of the tag2upload discussion Mathias Behrle <mbehrle@debian.org> - 2024-06-23 20:50 +0200
                Re: Summary of the current state of the tag2upload discussion Marco d'Itri <md@Linux.IT> - 2024-06-24 03:30 +0200
                Re: Summary of the current state of the tag2upload discussion Simon Richter <sjr@debian.org> - 2024-06-24 10:20 +0200
                Re: Summary of the current state of the tag2upload discussion Aigars Mahinovs <aigarius@gmail.com> - 2024-06-24 16:50 +0200
                Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-24 17:40 +0200
                Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-24 19:10 +0200
                Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-25 09:10 +0200
                Re: Summary of the current state of the tag2upload discussion Simon McVittie <smcv@debian.org> - 2024-06-25 12:10 +0200
                Re: Summary of the current state of the tag2upload discussion Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-25 12:20 +0200
                Re: Summary of the current state of the tag2upload discussion Bart Martens <bartm@debian.org> - 2024-06-25 20:50 +0200
                Re: Summary of the current state of the tag2upload discussion Aigars Mahinovs <aigarius@gmail.com> - 2024-06-24 20:40 +0200
                Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-24 21:10 +0200
                Re: Summary of the current state of the tag2upload discussion Aigars Mahinovs <aigarius@gmail.com> - 2024-06-24 21:50 +0200
                Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-24 22:10 +0200
                Re: Summary of the current state of the tag2upload discussion Aigars Mahinovs <aigarius@gmail.com> - 2024-06-24 23:40 +0200
                Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-25 12:10 +0200
                Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-25 18:00 +0200
                Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-25 19:20 +0200
                Re: Summary of the current state of the tag2upload discussion Didier 'OdyX' Raboud <odyx@debian.org> - 2024-06-26 11:20 +0200
                Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-25 19:40 +0200
                Re: Summary of the current state of the tag2upload discussion Bdale Garbee <bdale@gag.com> - 2024-06-25 20:10 +0200
                Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-25 20:20 +0200
                Re: Summary of the current state of the tag2upload discussion Aigars Mahinovs <aigarius@gmail.com> - 2024-06-25 20:50 +0200
                Re: Summary of the current state of the tag2upload discussion Philip Hands <phil@hands.com> - 2024-06-25 22:20 +0200
                Re: Summary of the current state of the tag2upload discussion Didier 'OdyX' Raboud <odyx@debian.org> - 2024-06-26 11:20 +0200
                Re: Summary of the current state of the tag2upload discussion Simon Richter <sjr@debian.org> - 2024-06-26 06:30 +0200
                Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-26 07:30 +0200
                Re: Summary of the current state of the tag2upload discussion Philip Hands <phil@hands.com> - 2024-06-25 11:10 +0200
                Re: Summary of the current state of the tag2upload discussion Scott Kitterman <debian@kitterman.com> - 2024-06-25 14:30 +0200
                Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-24 18:20 +0200
                Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-25 02:20 +0200
                Re: Summary of the current state of the tag2upload discussion Brian May <bam@debian.org> - 2024-06-25 03:00 +0200
                Re: Summary of the current state of the tag2upload discussion Simon Richter <sjr@debian.org> - 2024-06-25 06:30 +0200
                Re: Summary of the current state of the tag2upload discussion [and 1 more messages] Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-25 12:10 +0200
                Re: Summary of the current state of the tag2upload discussion [and  1 more messages] Ansgar 🙀 <ansgar@43-1.org> - 2024-06-30 20:50 +0200
                Re: Summary of the current state of the tag2upload discussion [and 1  more messages] Aigars Mahinovs <aigarius@debian.org> - 2024-06-30 22:00 +0200
                Re: Summary of the current state of the tag2upload discussion [and 1  more messages] Simon Richter <sjr@debian.org> - 2024-07-01 06:20 +0200
                Re: Summary of the current state of the tag2upload discussion [and 1  more messages] Andrey Rakhmatullin <wrar@debian.org> - 2024-07-01 08:00 +0200
                Re: Summary of the current state of the tag2upload discussion [and  1 more messages] Ansgar 🙀 <ansgar@43-1.org> - 2024-07-01 08:10 +0200
                Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-25 08:10 +0200
                Re: Summary of the current state of the tag2upload discussion Salvo Tomaselli <tiposchi@tiscali.it> - 2024-06-25 23:20 +0200
                Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-26 11:10 +0200
                Re: Summary of the current state of the tag2upload discussion Salvo Tomaselli <tiposchi@tiscali.it> - 2024-06-28 07:40 +0200
                Re: Summary of the current state of the tag2upload discussion Guillem Jover <guillem@debian.org> - 2024-06-26 04:40 +0200
                Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-25 09:10 +0200
                Re: Summary of the current state of the tag2upload discussion Sam Hartman <hartmans@debian.org> - 2024-06-26 14:20 +0200
                Re: Summary of the current state of the tag2upload discussion Jun MO <royclark086@gmail.com> - 2024-06-25 20:10 +0200
                Re: Summary of the current state of the tag2upload discussion Andrey Rakhmatullin <wrar@debian.org> - 2024-06-25 20:10 +0200
                Re: Summary of the current state of the tag2upload discussion Russ Allbery <rra@debian.org> - 2024-06-25 21:10 +0200
                Re: Summary of the current state of the tag2upload discussion Soren Stoutner <soren@debian.org> - 2024-06-28 04:50 +0200
                Re: Summary of the current state of the tag2upload discussion Sam Hartman <hartmans@debian.org> - 2024-06-26 05:00 +0200
    Re: Summary of the current state of the tag2upload discussion Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-23 20:40 +0200
      Re: Summary of the current state of the tag2upload discussion Micha Lenk <micha@debian.org> - 2024-06-23 21:20 +0200
        Re: Summary of the current state of the tag2upload discussion Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-24 11:40 +0200
        Re: Summary of the current state of the tag2upload discussion Matthias Urlichs <matthias@urlichs.de> - 2024-06-24 14:40 +0200

csiph-web