Am 18.02.2012 10:11, schrieb Teus Benschop:
To put things in perspective, I just wonder how strong this 'fortress'really is, and whether this strength is only in our perception orwhether it is real. Let me give just one example: A developer downloads a tarball from an upstream source, configures it, and does make install, yet has not even once checked whether this tarball is secure or is not aroot kit.
This is true but...a) this would be a general attack against all people, which are usually a tiny bit harder to do, then the local sysadmin just hacking colleagues.. b) as everyone is affected then (all users of the package),... there is a greater chance of notifying it
most important...c) the ideal situation would of course be, that the maintainer has a good relationship to upstream, perhaps even met them in person, exchanged OpenPGP keys with them and uses those (or weaker means[0]) to verify every single download.
Cheers, Chris.[0] Some projects secure their sites e.g. with X.509 certs by one of the commercial CAs.... I guess this is better than nothing, but many recent cases have shown us that the whole strict hierarchical trust model by X.509 is basically for trash.