Re: Building packages with exact binary matches
On Tue, 25 Sep 2007 00:04:15 +0200, Martin Uecker <muecker@gmx.de> said:
> Manoj Srivastava <srivasta@debian.org> wrote:
>> On Mon, 24 Sep 2007 04:56:45 +0200, Martin Uecker <muecker@gmx.de>
>> said:
>> Actually, if you do not trust the path down which a binary package
>> flows, you can not use any information down that flow path to test
>> your implementation. You need to do a full source audit, and build
>> from source -- at which point, you might just install your trused
>> binary, instead of trying to verify that the upstream package is the
>> same as yours.
> It would be enough when just a few people are actually recompiling the
> binaries and compare it to the official debian packages. Then
> *everbody* could trust that the packages are not modified, because any
> modification would be detected immediatley. This is only possible with
> bit-identical binaries.
Err, what? Why would everyone do that? I mean, you do not trust
the Debian distribution system, the archive gpg signatures, the md5sums
on the package, etc, and ye5t you are willing to accept mails from
other people that things are oK?
Given a sufficiently large BOTNET, I cal send am million or so
emails, joe jobs and all, saying that the original source is juuuuuust
fine, folks.
You believe that, I have a bridge over in manhattan ...
manoj
--
Everybody needs a little love sometime; stop hacking and fall in love!
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: