Re: Recompilation of ALL Debian packages ...
On Thu, Aug 31, 2006 at 05:41:11PM -0700, Russ Allbery wrote:
> Matej Cepl <firstname.lastname@example.org> writes:
> > No, it is matter of accountability and being able to tell to the bank
> > (mentioned in Martin's presentation) that we know who compiled the
> > package and we have made reasonable precautions to be sure there are no
> > trojans inside.
> Rebuilding every package really doesn't buy you that much in the way of
> security. It makes it harder to hide what you did, but only harder; a
> rogue uploader could obfuscate a trojan in source code rather well. In
> the end, we still trust people in the keyring. About the only thing you
> gain is the potential ability to do more detailed post-mortem analysis
> after something already exploded.
And the amount of breakage caused by actual mistakes of the uploader, like
having random sets of non-official libraries installed and such.