Re: Packages removed from frozen
>>"Antti-Juhani" == Antti-Juhani Kaijanaho <gaia@iki.fi> writes:
Antti-Juhani> This is true of every package in Debian, since all of
Antti-Juhani> them depend on - either d`irectly or indirectly - in
Antti-Juhani> GCC being free from a trojan. In fact, having several
Antti-Juhani> independently bootstrapped subsystems in Debian reduces
Antti-Juhani> the risk of having such a trojan infecting the whole of
Antti-Juhani> Debian.
I disagree. A single package can be tested and determined to
be free of such trojans (and this has been already done for gcc). Add
more points of failure and you weaken the system.
Of course, some version X of gcc may introduce a trojan
visible in the source code, and remove it in version X+1; but leave
the infected binary around to perpetiuate teh trojan. I would expect
the gtcc maintainer to be familair with the diffs and catch the most
obvious of these attemptsl but I susptec that gcc sourrces ought to
be built on other platforms periodically (perhaps even cross
compiled) to ensure ourselves that the code is still clean.
manoj
--
It's all right letting yourself go as long as you can let yourself
back. Mick Jagger
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: