Re: Trust in the Debian Build Process
Thomas Roessler <firstname.lastname@example.org> wrote:
> The essential problem we have to face is that every Debian developper
> and whoever controls the machines developpers are using has trivial
> root access to every Debian system his package is installed on.
The essential solution to this problem is redundancy and testing:
(1) We need robust testing of the resulting packages. We're working
on this, but have a ways to go.
(2) We need a way of confirming that binaries are built properly.
As far as I know, no one is tackling this.
Any solution is going to have vulnerabilities. A distributed solution
is going to scale better than a centralized solution.