Re: RPM
On Wed, 2 Apr 1997, Bruce Perens wrote:
> Unfortunately, I feel that Debian must bear the cost of certification
> of maintainers and original authors. Unless I can tell someone I know
> where a program came from, no other security procedures can be trusted
> to have any effectiveness whatsoever.
Yes, they are. Testing, and revising developers diffs. If you could check
package MD5 (someday we'll be able to do this =) ), you'll only need to
see the diff.gz to check for security problems (Asuming we can trust the
mainstream developer).
The proble left is: The .deb uploaded can be generated by a source not
included in the source package. It would be great if gcc placed some kind
of signature in binaries... but it doesn't... So.. what can we do? I say:
let's make all developers upload only the source versions of their
packages! An automated script can compile all the packages in some trusted
environment.
--
Nicolás Lichtmaier.- | Try visiting #debian in Undernet (us.undernet.org)
nick@feedback.com.ar | The channel of the debian developers =)
Reply to:
- Follow-Ups:
- Re: RPM
- From: Paul Wade <paulwade@greenbush.com>
- References:
- Re: RPM
- From: bruce@pixar.com (Bruce Perens)