On Fri, Feb 14, 2003 at 01:18:56PM +1000, Anthony Towns wrote:
> > > As far as avoiding getting trojan horses in the distribution goes, isn't
> > > that why we have maintainers?
> > It is certainly the case that a maintainer is responsible for making sure
> > the uploaded packages are sound, but I think we need to face facts here:
> > we don't have so many skilled developers that we can reasonably expect to
> > audit the diffs of every new upstream release that's uploaded into our
> > archive.
> See, I find that claim, and the fact that people seem so willing to
> accept it, a lot more concerning than some stupid obfuscated printf and
> exit making it into unstable.
What are we going to give up to get developers to spend this time
auditing their packages? Package count? QA? Maintainer sanity ("job
satisfaction")?
Flamewars? :)
I don't know that there are many developers among us who aren't already
dedicating as much time to Debian as they're willing/able. If there
aren't, something has to give somewhere else. 1-2 hours per upstream
release per package can add up rather quickly.
> > We are very much exposed where upstreams are concerned, and the
> > best way to protect against that is to make sure we know and trust our
> > upstreams (and, be able to know and trust the origins of the tarball
> > we're downloading).
> This isn't possible. For example, we'll lose a lot more software if we
> drop every upstream that doesn't have an md5sum file that's signed by
> a key connected to our web of trust, than if we just insist on maintainers
> auditing every update they do to their package.
And if we already have trusted, signed md5sum files?
--
Steve Langasek
postmodern programmer
Attachment:
pgpR2cm5wJYqK.pgp
Description: PGP signature