On Tue, Nov 29, 2005 at 02:20:55PM +0100, Florian Weimer wrote: > > not even be out of the question to find someone who'll sponsor an upload > > without rebuilding the .deb. I think it's safe to imagine that there are > > developers right now who've done some shady things in the past; is it > > that far fetched to imagine it's worth protecting against developers > > who try to abuse their priveleges? > No, but they can directly upload a bad package. No need to create an > MD5 collision and sneak the "evil twin" package into some mirror > archive. Sure; someday, maybe some of the test suite stuff will allow us to avoid that, but at the moment we can't. What we can do now is limit the chances that people will get away with that. > Have we already done that? Have we expelled people becaue they put > vulnerable code into Debian? We've expelled people for violating the DMUP in other ways; and we've stopped distributing micq because it included upstream code that could reasonably be called an exploit. > You can embed code that checks for characteristics of the victim > system and activate the attack only if there's a match. Sure, these things aren't perfect; but they're a help. Anyway, I'm not going to waste my time further arguing why we shouldn't continue using a hash that's had a practical exploit published on slashdot. Cheers, aj
Attachment:
signature.asc
Description: Digital signature