Re: Proposal for removal of mICQ package
Brian May <bam@debian.org> writes:
> On Sat, Feb 15, 2003 at 07:54:11PM +0100, Florian Weimer wrote:
>> If such things happen, how can you trust the Debian Project to
>> deliever uncompromised software?
>
> It was one isolated event.
Yes, but more such events will follow. One of it will be the first
big compromise. Currently, I can only recommend Debian privately
because the baptism of fire is still to happen.
Debian is a bit like BGP (or even IP networking 8-). By using it, you
trust much more people you would like to, but nevertheless you rely on
it for critical business operations.
> If it matters this much to you or to your bussiness that there be no
> security holes, perhaps it would really be worthwhile employing
> people to audit the code you use for potential security problems.
Working package and release signature would be more important at this
point, IMHO. Debian still lacks a secure and moderately automated
mechanism for pulling security updates (and I'm not even talking about
pushing the updates).
Reply to: