[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal for removal of mICQ package

Anthony Towns <aj@azure.humbug.org.au> writes:

> In any event, the question isn't about how hard this is, it's about
> what alternatives there are. Not packaging stuff that's already been
> trojaned would not have avoided this problem; nor would pretending
> the problem doesn't exist or can't happen to us. We've been
> exploited once -- happily in a manner that doesn't cause major
> problems. We've already seen that this is a common attack -- a bunch
> of upstream sites and mirrors have been cracked and had source code
> trojaned. We're vulnerable. What can we do to fix this hole? What
> will we do to fix it?

I believe Debian developers should pressure upstream to sign their
tarballs with GPG.  As source trojans due to hacking are more and more
common these days, this is a good way for free software community to
guarantee upstream integrity.  At least, this does ease our job of
reviewing source code and strengthens upstream against trojans.

Cheers,
Benjamin

-- 
  .''`.
 ; ;' ;      Debian GNU/Linux     |   Benjamin Drieu
 `. `'    http://www.debian.org/  |  <benj@debian.org>
   `-
Reply to: