Re: Package management unsafe?
* Ron Johnson:
> What are people's thoughts on this?
HTTPS doesn't help against non-trusted mirrors.
The difficult question is how to tell an APT source which is not updated
regularly from an APT source that has been rolled back in a replay
Apart from that, this is clearly a PR stunt. Next, we might see someone
who tries to get into the project, with the intent to upload Trojanized
packages--all in the name of academic research.