Re: Proposal for removal of mICQ package

[Florian Weimer <fw@deneb.enyo.de>]

Brian May <bam@debian.org> writes:

> On Sat, Feb 15, 2003 at 07:54:11PM +0100, Florian Weimer wrote:
>> If such things happen, how can you trust the Debian Project to
>> deliever uncompromised software?
>
> It was one isolated event.

Yes, but more such events will follow.  One of it will be the first
big compromise.  Currently, I can only recommend Debian privately
because the baptism of fire is still to happen.

Debian is a bit like BGP (or even IP networking 8-).  By using it, you
trust much more people you would like to, but nevertheless you rely on
it for critical business operations.

> If it matters this much to you or to your bussiness that there be no
> security holes, perhaps it would really be worthwhile employing
> people to audit the code you use for potential security problems.

Working package and release signature would be more important at this
point, IMHO.  Debian still lacks a secure and moderately automated
mechanism for pulling security updates (and I'm not even talking about
pushing the updates).