[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

Scripsit Goswin von Brederlow
> Henning Makholm <henning@makholm.net> writes:

> > I refer you to Ken Thompson's Turing award lecture. If someone who
> > really means business manages to compromise binary toolchain debs, all
> > the hackers in the world reading source over and over will not find
> > the backdoor.

> But their source is already secured by the same means.

You really need to read Thompson's paper.

> One can maintain and update a debian system from source alone so one
> only has to trust the peer reviewing of sources.

How do you compile the sources without first having to trust binary
.debs for the toolchain?

Henning Makholm                        "I have seen men with a *fraction* of
                                 your trauma pray to their deity for death's
                         release. And when death doesn't arrive immediately,
                       they reject their deity and begin to beg to another."

Reply to: