Re: Unofficial buildd network has been shut down
Henrique de Moraes Holschuh wrote:
[snip]
> > are not allowed to think for themself and decide whom and what systems
> > to trust. That was the message conveyed in the thread and on irc. Its
> > not the place of a DD to decide for all of Debian whom to trust.
>
> Obviously. And from a security standpoint, that is the only sane position.
> Trust is not, and cannot be transitory.
Following that rationale, you have now to remove gcc and everything
compiled with it from debian, since no DD did a full code audit.
Free Software works only in a web of trust.
> This is basic, and it is
> acknowledged even on the most informal security model in existance: "a
> secret stops being a secret if you tell it to anyone else/keep secrets to
> yourself".
Non sequitur. Trust doesn't imply secrecy.
> We should act as a whole on security matters. If we decide that "third
> party run" autobuilders are okay (for some definition of third party), then
> they are okay for *everyone*. Otherwise, they must "not be okay" for
> anyone, or any security implications are being thrown out the window.
Only if you engage in black-and-white thinking, where any DD is
automatically and absolutely trusted, while non-DDs deserve no
trust at all.
Thiemo
Reply to: