On Fri, Sep 01, 2006 at 02:57:27AM +0200, Sven Luther wrote: > On Thu, Aug 31, 2006 at 05:41:11PM -0700, Russ Allbery wrote: > > > > Rebuilding every package really doesn't buy you that much in the way of > > security. It makes it harder to hide what you did, but only harder; a > > rogue uploader could obfuscate a trojan in source code rather well. In > > the end, we still trust people in the keyring. About the only thing you > > gain is the potential ability to do more detailed post-mortem analysis > > after something already exploded. > > And the amount of breakage caused by actual mistakes of the uploader, like > having random sets of non-official libraries installed and such. > Is it not part of the process of becoming a DD (or sponsorship of packages for non-DDs) learning the "responsible" way to build packages. That is, developers are taught to use tools like pbuilder or sbuild in order to ensure that packages build cleanly. I'm not saying that mistakes will never occur. However, I would think that the vast majority of the people will be responsible and do it correctly the vast majority of the time. Regards, -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto
Attachment:
signature.asc
Description: Digital signature