[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#241689: I'm going to NMU this

* John Hasler (john@dhh.gt.org) [040831 16:40]:
> Colin Watson writes:
> > Do you not think it is important for sponsors to verify what they're
> > sponsoring against trojans? How do you propose to verify a lump of binary
> > data you've received?

> By receiving both binary and source, verifying as you would with a full
> upload, and then uploading only the binary?

I would call this naive. For sourcefull sponsoring, you need to
rebuild on your own system, to prevent trojans in the binary. And if
you rebuild, why call it "binary sponsoring" at all then? Just call it
"you were hinted to do a rebuild".

   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Reply to: