On Thu, Feb 13, 2003 at 02:22:14PM -0600, Steve Langasek wrote:
> On Fri, Feb 14, 2003 at 04:46:10AM +1000, Anthony Towns wrote:
> > if (strcmp(me, "madkiss") == 0 && time(NULL) > Feb11th) {
> Perhaps owing to the obfuscation employed, you overlooked the fact that
> you've reversed the sense of one of the tests above?
Nah, it was due to the time I was writing it at.
> [...] apparently in the (fulfilled) hope that Martin would
> not notice the change and upload a package that made him (and Debian in
> general) look like a fool.
I think you'll find the time() call did a better job of that.
> > As far as avoiding getting trojan horses in the distribution goes, isn't
> > that why we have maintainers?
> It is certainly the case that a maintainer is responsible for making sure
> the uploaded packages are sound, but I think we need to face facts here:
> we don't have so many skilled developers that we can reasonably expect to
> audit the diffs of every new upstream release that's uploaded into our
> archive.
See, I find that claim, and the fact that people seem so willing to
accept it, a lot more concerning than some stupid obfuscated printf and
exit making it into unstable.
> We are very much exposed where upstreams are concerned, and the
> best way to protect against that is to make sure we know and trust our
> upstreams (and, be able to know and trust the origins of the tarball
> we're downloading).
This isn't possible. For example, we'll lose a lot more software if we
drop every upstream that doesn't have an md5sum file that's signed by
a key connected to our web of trust, than if we just insist on maintainers
auditing every update they do to their package.
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``Dear Anthony Towns: [...] Congratulations --
you are now certified as a Red Hat Certified Engineer!''
Attachment:
pgpPQywQKOXKe.pgp
Description: PGP signature