Re: Recompilation of ALL Debian packages ...
martin f krafft wrote:
> also sprach Russ Allbery <rra@debian.org> [2006.09.01.0241 +0200]:
>> Rebuilding every package really doesn't buy you that much in the
>> way of security.
>
> This is arguable and I don't want to go there. The reason I am
> pushing for this is because of two of my clients, who have been
> wanting to use Debian for three years now but consciously decided
> against it, because it is not guaranteed that the sources and the
> binaries in our archives correspond for all architectures. They are
> well aware that trojans can still exist, but it's an entirely
> different thing whether they exist in source and hence in all
> architectures (which would result in some serious negative feedback
> or even revocation of upload rights), or just in one of the binaries
> and hence would be much harder to detect/analyse.
How big are your clients? If they're good-sized companies with a spare
computer, they can compile all the packages they use locally from Debian
source with not *too* much work.
--
Nathanael Nerode <neroden@fastmail.fm>
Bush admitted to violating FISA and said he was proud of it.
So why isn't he in prison yet?...
Reply to: