Re: Preventing government subversion in Debian, verification of binary package uploads
On 24/08/13 22:58, Russ Allbery wrote:
> Thomas Hood <email@example.com> writes:
>> If a Debian contributor were faced with a demand to do something that
>> undermines the privacy or other interests of Debian users then I would
>> hope and expect that the contributor would choose instead to cease being
>> a contributor. Were he not to do so then he would have to be regarded as
>> an infiltrator.
>> Here I assume that U.S. law is not so draconian that it can require
>> someone who has contributed to Debian (and who is therefore trusted) to
>> continue doing so.
> I believe that assumption is not correct based on previous things that
> have happened with National Security Letters from the small amount of
> public information that people have been able to gather.
The defining attribute of open source is that the source is available
for anyone to inspect, change and compile themselves.
That of course breaks down when we have to install binary blobs for some
devices to function, or to make enhanced functionality available.
It's still better than closed source operating systems you pay money for
and in return promise to be the best they can, given the constraint that
they're in it for the money, and that they're the ones to trust with
your data, unless the people after it are very very good/bad.
Don't even get me started about the hardware our OSes run on.