[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Recompilation of ALL Debian packages ...

On Thu, Aug 31, 2006 at 05:41:11PM -0700, Russ Allbery wrote:
> Matej Cepl <ceplm@seznam.cz> writes:
> > No, it is matter of accountability and being able to tell to the bank
> > (mentioned in Martin's presentation) that we know who compiled the
> > package and we have made reasonable precautions to be sure there are no
> > trojans inside.
> Rebuilding every package really doesn't buy you that much in the way of
> security.  It makes it harder to hide what you did, but only harder; a
> rogue uploader could obfuscate a trojan in source code rather well.  In
> the end, we still trust people in the keyring.  About the only thing you
> gain is the potential ability to do more detailed post-mortem analysis
> after something already exploded.

And the amount of breakage caused by actual mistakes of the uploader, like
having random sets of non-official libraries installed and such.


Sven Luther

Reply to: