On Tue, 2012-02-21 at 16:59 -0600, Gunnar Wolf wrote: > Sadly, I think this is more propaganda and wishful thinking than > reality. And if I'm going to badmouth somebody, I'll badmouth myself. I guess you're right, that for large software it's difficult to impossible for the maintainer to really follow up all the code changes (basically doing an audit)... but still, what was said in this thread would help,... a) by carefully checking hashsums you at least prevent that single Debian users are attacked b) maintainers should still try to get a direct-as-possible trust-path to upstream c) we have many maintainers who take part in upstream, too, just take Mike as an example who has commit rights to Mozilla since some time, IIRC. Guess for such guys it might be possible to roughly track what has changed. d) for very small programs, especially when they don't change a lot and get just bugfixes, I can imagine, that some maintainers have a look at what has changed. Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature