Re: Recompilation of ALL Debian packages ...
Russ Allbery writes:
> Source-code trojans are more dangerous because people fear binaries but
> think that if they've compiled it, it's fine, when the only real
> distinction is between code that's been audited and code that hasn't.
> Binaries built and uploaded by a maintainer who audits the upstream code
> are significantly safer than uncompiled source code uploaded by a
> maintainer who doesn't.
This compares apples (a maintainer who audits the upstream code) to
oranges (one who doesn't). Even given human error, the approach to
auditing a source code package is reasonably well-understood. For
binary packages, it is not, but it is clear that it is much more