[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Recompilation of ALL Debian packages ...

On Fri, Sep 01, 2006 at 02:57:27AM +0200, Sven Luther wrote:
> On Thu, Aug 31, 2006 at 05:41:11PM -0700, Russ Allbery wrote:
> > 
> > Rebuilding every package really doesn't buy you that much in the way of
> > security.  It makes it harder to hide what you did, but only harder; a
> > rogue uploader could obfuscate a trojan in source code rather well.  In
> > the end, we still trust people in the keyring.  About the only thing you
> > gain is the potential ability to do more detailed post-mortem analysis
> > after something already exploded.
> And the amount of breakage caused by actual mistakes of the uploader, like
> having random sets of non-official libraries installed and such.

Is it not part of the process of becoming a DD (or sponsorship of
packages for non-DDs) learning the "responsible" way to build packages.
That is, developers are taught to use tools like pbuilder or sbuild in
order to ensure that packages build cleanly.  I'm not saying that
mistakes will never occur.  However, I would think that the vast
majority of the people will be responsible and do it correctly the vast
majority of the time.



Roberto C. Sanchez

Attachment: signature.asc
Description: Digital signature

Reply to: