On Saturday 14 March 2009, Leo 'costela' Antunes wrote: > IMHO that's a false notion of "security through laziness" :). Black hats are lazy too. They go after easy targets for maximum profit. Getting into Debian currently takes a certain amount of demonstrated dedication to the project through actual hard work. You should not underestimate that. > I'd say the only real deterrents to this sort of thing are NEW security > checks [...] That's useless IMO: just upload the first version of a package without the trojan and include it in -2 after it has passed NEW. > [...] and a good identity check when signing someone's key [...] Which only helps to sanction the black hat after his misdeeds have been discovered. It does nothing to prevent them. > Not to mention the almost mythical "1000 eyeballs make any bug shallow" > effect, which should apply - at least tangentially - to security as > well... Only AFTER a bug has been detected. My point is about prevention. The risk that a trojan will remain undetected for an extended period is quite large if you select the packages to put it in a bit carefully.
Description: This is a digitally signed message part.