Re: Recompilation of ALL Debian packages ...
Matej Cepl <firstname.lastname@example.org> writes:
> No, it is matter of accountability and being able to tell to the bank
> (mentioned in Martin's presentation) that we know who compiled the
> package and we have made reasonable precautions to be sure there are no
> trojans inside.
Rebuilding every package really doesn't buy you that much in the way of
security. It makes it harder to hide what you did, but only harder; a
rogue uploader could obfuscate a trojan in source code rather well. In
the end, we still trust people in the keyring. About the only thing you
gain is the potential ability to do more detailed post-mortem analysis
after something already exploded.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>