Is there a package protection against a backdoor introduced by the maintainer?

I

inakrin2015-06-16 13:17:21

linux

inakrin, 2015-06-16 13:17:21

I've been thinking about this question and haven't found an answer.
And what protection is there against the fact that a maintainer who builds an rpm or deb package for some Linux, for example, can introduce a backdoor there due to his own malicious intent or under pressure from outside?
What are the guarantees that the package downloaded from the repository does not contain backdoors implemented by the maintainer?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Adamos, 2015-06-16
@Adamos

Usually there are two repositories - one with binaries, the other with sources.
Do not believe the maintainers - compile yourself, who's stopping you.
Do not believe the author at the same time - read the code, it is open.
Anyone can check, assemble everything on their own and make sure of authenticity or notice a forgery.
So you can usually trust the maintainers...
You may ask yourself what kind of backdoor protection you have in proprietary software that is leased to you in binary form under a license. Yes, for comparison.

S

Sergey N, 2015-06-18
@Albibek

Each of the packages is signed with a private key, the keys are distributed with the distribution. The whole question is who owns the private key for signing.
If these are the creators of the distribution, then they trust the maintainer and, most likely, sign packages without looking at the changes. Perhaps they have some kind of additional control over the maintainers themselves, but I have not heard of such a thing. In any case, you need to find out for each specific distribution, find out their development model and quality control methods. I think you will find publications on official sites.