On 2024-02-08 23:44:21 +0100 (+0100), Hans-Christoph Steiner wrote: > > In business, such things are confirmed (often badly) by independent > > audit. For a volunteer-driven community effort, we have to rely on > > everyone to exercise their best judgement in these sorts of matters. > > Debian could also get independent, professional audits. [...] Perhaps of a sort, but not the kind I'm accustomed to being performed in the corporate world. Having auditors visit every DD's home to watch them upload packages and confirm they're following the claimed secure workflows seems entirely intractable. Sure you could ask every DD to fill out a questionnaire, but if you don't trust them to all follow documented practices then why would you trust them to accurately answer survey questions either? -- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature