On 8/22/05, Hamish Moffatt <firstname.lastname@example.org> wrote: > Really? The maintainer can still embed "rm -rf /" in the postinst either > way. We need to be able to trust developers. > > Similarly, sponsored packages should be rebuilt because the project > hasn't decided to official trust those contributors. But it's far easier to check (audit?) source code then to check binaries.