[I'm only subscribed to -project, but keeping the cross-post] Frans Pop wrote: > The effort needed to go through the NM procedure also has an IMO import > security aspect: it's quite unlikely that a "black hat" would be willing > to make that effort to get in a position where (s)he could introduce > trojaned packages into the archive. IMHO that's a false notion of "security through laziness" :). The cost/benefit of waiting some months (years?) and doing some easy work (at least for a black hat with enough technical expertise to write something that could get through NEW unnoticed) is pretty tempting. I'd say the only real deterrents to this sort of thing are NEW security checks and a good identity check when signing someone's key, but of course even those can be subverted. Not to mention the almost mythical "1000 eyeballs make any bug shallow" effect, which should apply - at least tangentially - to security as well... Just my 0,2€. Cheers -- Leo "costela" Antunes [insert a witty retort here]
Attachment:
signature.asc
Description: OpenPGP digital signature