On Fri, Feb 14, 2003 at 01:18:56PM +1000, Anthony Towns wrote: > > > As far as avoiding getting trojan horses in the distribution goes, isn't > > > that why we have maintainers? > > It is certainly the case that a maintainer is responsible for making sure > > the uploaded packages are sound, but I think we need to face facts here: > > we don't have so many skilled developers that we can reasonably expect to > > audit the diffs of every new upstream release that's uploaded into our > > archive. > See, I find that claim, and the fact that people seem so willing to > accept it, a lot more concerning than some stupid obfuscated printf and > exit making it into unstable. What are we going to give up to get developers to spend this time auditing their packages? Package count? QA? Maintainer sanity ("job satisfaction")? Flamewars? :) I don't know that there are many developers among us who aren't already dedicating as much time to Debian as they're willing/able. If there aren't, something has to give somewhere else. 1-2 hours per upstream release per package can add up rather quickly. > > We are very much exposed where upstreams are concerned, and the > > best way to protect against that is to make sure we know and trust our > > upstreams (and, be able to know and trust the origins of the tarball > > we're downloading). > This isn't possible. For example, we'll lose a lot more software if we > drop every upstream that doesn't have an md5sum file that's signed by > a key connected to our web of trust, than if we just insist on maintainers > auditing every update they do to their package. And if we already have trusted, signed md5sum files? -- Steve Langasek postmodern programmer
Attachment:
pgpR2cm5wJYqK.pgp
Description: PGP signature