On Thu, Nov 14, 2002 at 02:03:42AM +0000, Ian Jackson wrote: > Another question that wants to be asked is: > > - How do we stop an attacker who has compromised some Developer's > machine from using that Developer's key to get a trojan widely > installed ? This is not prevented currently and will not in the way we are going to advance in the future. This is not to blame in the security model itself, it is to blame in the development model itself. And, BTW, it's only prevented by peer-audits of incoming packages. This reviews, BTW, could be made easier with diff's against previous releases (say a diff from 1.0-2 to 1.0-1) instead of having to go comparing the diff files against the original source. Regards Javi
Attachment:
pgpOUX5syshpV.pgp
Description: PGP signature