Web lists-archives.com

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing




Pirate Praveen dijo [Wed, Oct 04, 2017 at 04:52:37PM +0530]:
> > However, that verification isn't really sufficient if a rebuild
> > on the buildds could download an entirely different version of the
> > out-of-archive tools: a sufficiently inventive attacker who had gained
> > control over upstream's distribution channel could even arrange to serve
> > a non-malicious toolchain to your IP address, but then serve a malicious
> > version to Debian buildds' IP addresses.
> 
> But debian buildds already prohibit network access during build and
> these packages has to be binary included always. So the theoretical
> security issue never manifests in practice.

So, what happens currently? Do the affected packages FTBFS? (that,
IMHO, would be a *good* thing, as we would only need to patch Policy
to reflect reality)

> > At least that way, you have the opportunity to inspect the pre-built
> > binary (I hope "binary" here means a bundled/minified version that is
> > not the preferred form for modification but is somewhat human-readable,
> > rather than something as opaque as a compiled C binary) and have some
> > level of confidence that it corresponds to the source.
> 
> That is how it is happening even now as it will always be built on a
> maintainers machine. Having pre-built binaries instead will only change
> the perception. It makes build process non standard and manual making it
> harder for others to build (will need to learn about nodejs specifics
> unlike the regular dpkg-buildpackage) or introduce possibilities of
> making mistakes (any manual steps can introduce mistakes).

No. It does not only change the perception. You ship a pre-built
binary as part of your sources, then the build process (with, yes, a
piece of untrusted blob... But still, that's as far as we can get)
will happen across our buildds, or by whoever wants to NMU, or even by
yourself days or weeks later, with a piece of software known to yield
the package as it got built. We will not be bitten by a random site
being unexpectedly offline, or by a transpiler changing some
command-line options without notifying us (to mention only two
possible issues)

> But as I already mentioned in my last mail, I will accept this advice,
> even though I'm not convinced.

Yes. Reading through the thread, I see several people are still
directing their criticisms of this situation to your person. Lets try
to keep this separate from Praveen, and focus on the general
reasoning!


Attachment: signature.asc
Description: PGP signature