[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages removed from frozen

>>"Antti-Juhani" == Antti-Juhani Kaijanaho <gaia@iki.fi> writes:

 Antti-Juhani> This is true of every package in Debian, since all of
 Antti-Juhani> them depend on - either d`irectly or indirectly - in
 Antti-Juhani> GCC being free from a trojan.  In fact, having several
 Antti-Juhani> independently bootstrapped subsystems in Debian reduces
 Antti-Juhani> the risk of having such a trojan infecting the whole of
 Antti-Juhani> Debian.

        I disagree. A single package can be tested and determined to
 be free of such trojans (and this has been already done for gcc). Add
 more points of failure and you weaken the system.

        Of course, some version X of gcc may introduce a trojan
 visible in the source code, and remove it in version X+1; but leave
 the infected binary around to perpetiuate teh trojan. I would expect
 the gtcc maintainer to be familair with the diffs and catch the most
 obvious of these attemptsl but I susptec that gcc sourrces ought to
 be built on other platforms periodically (perhaps even cross
 compiled) to ensure ourselves that the code is still clean.


 It's all right letting yourself go as long as you can let yourself
 back. Mick Jagger
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: