On Fri, Feb 14, 2003 at 08:20:01PM +0100, Josip Rodin wrote: > On Fri, Feb 14, 2003 at 11:45:49AM -0500, Timothy Ball wrote: > > Hey I can expect the maintainer to at least try to install his own deb > > and run the program. > > I thought it wouldn't matter, as the code was set up exactly so that the > maintainer doesn't notice. > If this is true, then the package must be removed. If upstream is intentionally malicious to debian users, and we know so, it would be irresponsible subject our users to their code. We must have criteria for removing packages and if this isn't a perfect case of a package to be removed, then I dont know what is. I would even suggest that we replace the current package with a new package containing some sort of documentation describing the reasons for removal and containing a suggests line for other icq clients. If we had a policy of auditing all code, it would increase our need for resources dramatically, as any decent audit would have to be done by someone very proficient in the given language. There are plenty of obfuscation techniques that can be used. cardenas -- michael cardenas | lead software engineer, lindows.com hyperpoem.net | GNU/Linux software developer people.debian.org/~mbc | encrypted email preferred "Madame, there are always two paths to take; one back towards the comforts and security of death, the other towards nowhere." - Henry Miller
Attachment:
pgpcbnhhMajxk.pgp
Description: PGP signature