[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal for removal of mICQ package

On Thu, Feb 13, 2003 at 02:22:14PM -0600, Steve Langasek wrote:
> On Fri, Feb 14, 2003 at 04:46:10AM +1000, Anthony Towns wrote:
> > 	if (strcmp(me, "madkiss") == 0 && time(NULL) > Feb11th) {
> Perhaps owing to the obfuscation employed, you overlooked the fact that
> you've reversed the sense of one of the tests above?  

Nah, it was due to the time I was writing it at.

> [...] apparently in the (fulfilled) hope that Martin would
> not notice the change and upload a package that made him (and Debian in
> general) look like a fool.

I think you'll find the time() call did a better job of that.

> > As far as avoiding getting trojan horses in the distribution goes, isn't
> > that why we have maintainers?
> It is certainly the case that a maintainer is responsible for making sure
> the uploaded packages are sound, but I think we need to face facts here:
> we don't have so many skilled developers that we can reasonably expect to
> audit the diffs of every new upstream release that's uploaded into our
> archive.  

See, I find that claim, and the fact that people seem so willing to
accept it, a lot more concerning than some stupid obfuscated printf and
exit making it into unstable.

> We are very much exposed where upstreams are concerned, and the
> best way to protect against that is to make sure we know and trust our
> upstreams (and, be able to know and trust the origins of the tarball
> we're downloading).  

This isn't possible. For example, we'll lose a lot more software if we
drop every upstream that doesn't have an md5sum file that's signed by
a key connected to our web of trust, than if we just insist on maintainers
auditing every update they do to their package.


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

  ``Dear Anthony Towns: [...] Congratulations -- 
        you are now certified as a Red Hat Certified Engineer!''

Attachment: pgpPQywQKOXKe.pgp
Description: PGP signature

Reply to: