[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Membership

On Saturday 14 March 2009, Leo 'costela' Antunes wrote:
> IMHO that's a false notion of "security through laziness" :).

Black hats are lazy too. They go after easy targets for maximum profit.
Getting into Debian currently takes a certain amount of demonstrated 
dedication to the project through actual hard work. You should not 
underestimate that.

> I'd say the only real deterrents to this sort of thing are NEW security
> checks [...]

That's useless IMO: just upload the first version of a package without the 
trojan and include it in -2 after it has passed NEW.
> [...] and a good identity check when signing someone's key [...]

Which only helps to sanction the black hat after his misdeeds have been 
discovered. It does nothing to prevent them.

> Not to mention the almost mythical "1000 eyeballs make any bug shallow"
> effect, which should apply - at least tangentially - to security as
> well...

Only AFTER a bug has been detected. My point is about prevention. The risk 
that a trojan will remain undetected for an extended period is quite 
large if you select the packages to put it in a bit carefully.

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: