[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: leaks in our only-signed-software fortress

On Tue, 2012-02-21 at 16:59 -0600, Gunnar Wolf wrote:
> Sadly, I think this is more propaganda and wishful thinking than
> reality. And if I'm going to badmouth somebody, I'll badmouth myself.

I guess you're right, that for large software it's difficult to
impossible for the maintainer to really follow up all the code changes
(basically doing an audit)... but still, what was said in this thread
would help,...

a) by carefully checking hashsums you at least prevent that single
Debian users are attacked

b) maintainers should still try to get a direct-as-possible trust-path
to upstream

c) we have many maintainers who take part in upstream, too, just take
Mike as an example who has commit rights to Mozilla since some time,
Guess for such guys it might be possible to roughly track what has

d) for very small programs, especially when they don't change a lot and
get just bugfixes, I can imagine, that some maintainers have a look at
what has changed.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: