Re: Protections against a mad maintainer?
Hi Sue,
I read with intrest your posting, you do make valid points with refrence to
the trade off's ... That is assuming the person involved is rational. Believe
me, if you want to make sure that an upload from you is untracable... It can be
done .. and finally, it is a simple matter to delay the phenomenon so that it
occurs at a certain day of after a finite number of executions, 666 for
example..
It is a frightening thought,...
Regards
Jonathan
>Hi Jean --
>
>There are (at least) 3 counterarguments to the concern that Debian
>maintainers could maliciously add dangerous commands to their
?{pre,post}{inst,rm} scripts:
>-- the same package system which is open to many for development is
>equally open to many for testing.
>-- by having both "stable" and "unstable" releases, Debian distinguishes
>between packages which are [likely to have been] tested and those which
>are not.
>-- as the saying goes, "Never interpret as malicious that which could
>also be explained by stupidity." Humans at commercial software firms
>are no more protected from their own stupidity than humans who are working
>to provide free software, _and_ who are offering the world the opportunity
>to scrutinize their source code.
>
>Another way to pose the question is, what would motivate a developer to
>include mailicious software? He could be pretty sure that the offending
>code would be found quickly, and he would be identified (via PGP keys)
>with the problem. The perpetrator would be immediately banned from
>using the system. And all he got for his trouble was to inconvenience one
>or a few unknown, randomly selected, victims. Not a very good tradeoff.
>
>All the same questions being asked of free software should be asked,
>of course, of the commercial software...
>
>HTH,
>Susan Kleinmann
Reply to: