Reflections on Trusting Trust

[Colin Percival]

Kris Kennaway wrote:
> I'd be happy to work with someone who can implement a solution for the
> package side.  The important thing to keep in mind is that packages
> are built automatically on many distributed machines.  Any solution
> for signing packages would therefore need to also be automated,
> e.g. signing them automatically when the packages are pulled back from
> the build client to server.

Even before you get to that point, you have to worry about making sure
that the build clients are secure.  One possibility which worries me a
great deal is that a trojan in the build code for a low-profile port
(e.g., misc/my-port-which-nobody-else-uses) could allow an attacker to
gain control of a build client (and then insert trojans into packages
which are built there).

Of course, there are some mechanisms which can be used -- for example,
jails -- but I'm not willing to trust the security of every system which
ever installs FreeBSD packages to the hope that nobody will ever find a
security flaw which permits a jailbreak.  Once Xen is more mature, I
imagine that it will be very useful for performing such builds securely.

Colin Percival