Re: Bug#726393: general: Possible malware infections in source packages
On Wed, 16 Oct 2013 20:17:53 +0000, "Andrew M.A. Cater"
>On Wed, Oct 16, 2013 at 11:12:47AM +0200, Marc Haber wrote:
>> On Tue, 15 Oct 2013 12:54:36 +0200, Dominik George <firstname.lastname@example.org>
>> >> Some of the source packages were caught on a gateway anti-virus scanner while
>> >> downloading.
>> >Using a gateway anti-virus scanner for downloads from the Debian archive
>> >seems a bit inappropriate, well, paranoid. Checking the signed hashsums
>> >would seem a lot better to verify the downloads; if Debian's
>> >infrastructure were compromised so viruses could get in *and* be signed,
>> >we and you have other problems.
>> In many organisations it would be a _huge_ hassle to be allowed to
>> Download Debian packages directly while bypassing the gateway scanner.
>> It might even lead to a knee-jerk reaction like "This Debian thingy
>> keeps setting off our security alerts, let's ban it and use a
>> supported enterprise distro".
>You have _NO_ idea just how close to the truth you are
I think I know.
>- but even enterprise distributions
>trigger anti-virus programs. Pretty much all false positives, but still ..
Yes, but that's enterprise software with support that we have paid
$AMOUNT of $CURRENCY for. That can't be bad, or our decision would be
wrong, which is not possible with regard to the career of the people
who had taken that decision.
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834