Re: Proposal for removal of mICQ package
Anthony Towns <aj@azure.humbug.org.au> writes:
> In any event, the question isn't about how hard this is, it's about
> what alternatives there are. Not packaging stuff that's already been
> trojaned would not have avoided this problem; nor would pretending
> the problem doesn't exist or can't happen to us. We've been
> exploited once -- happily in a manner that doesn't cause major
> problems. We've already seen that this is a common attack -- a bunch
> of upstream sites and mirrors have been cracked and had source code
> trojaned. We're vulnerable. What can we do to fix this hole? What
> will we do to fix it?
I believe Debian developers should pressure upstream to sign their
tarballs with GPG. As source trojans due to hacking are more and more
common these days, this is a good way for free software community to
guarantee upstream integrity. At least, this does ease our job of
reviewing source code and strengthens upstream against trojans.
Cheers,
Benjamin
--
.''`.
; ;' ; Debian GNU/Linux | Benjamin Drieu
`. `' http://www.debian.org/ | <benj@debian.org>
`-
Reply to: