Re: Debian Security Issues
On Saturday 30 January 1999, at 23 h 31, the keyboard of Larry Wilson
<lwilson1@radium.ncsc.mil> wrote:
> The professor asked me to find out :
> "What is distinctive about Debian Linux development that affects
> its assurance? "
As a recent Debian developer (Sep. 1998), let me give my opinion:
What is distinct with Debian is that:
- there is no separation between "contrib" and not-contrib (like RedHat, but
also *BSD, does). All packages have the same standards of quality, as
described in the Debian policy <http://www.debian.org/doc/debian-policy/>.
This has some implications about security: in RedHat, non-contrib packages are
checked by RedHat, for the rest, it is up to you. Since you cannot really work
with just non-contrib packages, you easily install non-trusted binaries.
- all developers are registered and there is at least some attempts to try to
be sure of their identity (I had to sent a scan of my passport, PGP-signed of
course). The names are public <http://www.debian.org/devel/people>. You know
who made your package.
- all packages are PGP-signed by a developer. (The public keys are... public.)
- all bugs are public <http://www.debian.org/Bugs>, meaning that a lazy
maintainer cannot conceal a security problem in one of its packages.
Reply to: