Re: Debian Membership

To: debian-project@lists.debian.org
Cc: debian-project@lists.debian.org, debian-newmaint@lists.debian.org
Subject: Re: Debian Membership
From: Leo 'costela' Antunes <costela@debian.org>
Date: Sat, 14 Mar 2009 15:20:59 +0100
Message-id: <[🔎] 49BBBD4B.4040109@debian.org>
In-reply-to: <[🔎] 200903141306.36907.elendil@planet.nl>
References: <[🔎] 20090314100358.GQ6307@matthew.ath.cx> <[🔎] 200903141140.56733.elendil@planet.nl> <[🔎] 49BB99AB.20105@debian.org> <[🔎] 200903141306.36907.elendil@planet.nl>

[still not subscribed to -newmaint, just keeping the cross-post]

Frans Pop wrote:
> On Saturday 14 March 2009, Leo 'costela' Antunes wrote:
>> IMHO that's a false notion of "security through laziness" :).
> 
> Black hats are lazy too. They go after easy targets for maximum profit.
> Getting into Debian currently takes a certain amount of demonstrated 
> dedication to the project through actual hard work. You should not 
> underestimate that.

I do agree it plays a role, but I don't think we should overestimate its
deterring factor either, so I wouldn't use it as an argument against
careful reworking of the NM process. (though I do see the value of
pointing it out!)

> That's useless IMO: just upload the first version of a package without the 
> trojan and include it in -2 after it has passed NEW.

True.

>> [...] and a good identity check when signing someone's key [...]
> 
> Which only helps to sanction the black hat after his misdeeds have been 
> discovered. It does nothing to prevent them.

But this should fit with the "lazy" argument above. If you consider the
time and work it takes to automatically infect potentially millions of
Debian machines a deterrent, then certainly the trouble of your actions
being easily traced back to you should act as just as big (if not
greater) a deterrent.

>> Not to mention the almost mythical "1000 eyeballs make any bug shallow"
>> effect, which should apply - at least tangentially - to security as
>> well...
> 
> Only AFTER a bug has been detected. My point is about prevention. The risk 
> that a trojan will remain undetected for an extended period is quite 
> large if you select the packages to put it in a bit carefully.

Agreed. The point - which I should have made clearer - was just that the
chance of a trojan being caught this way is directly proportional to the
user base of the infected package and thus also to the amount damage it
could make (which I guess is exactly what you mean by "select the
packages carefully" :) ).

Cheers

-- 
Leo "costela" Antunes
[insert a witty retort here]

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Debian Membership
  - From: Matthew Johnson <mjj29@debian.org>
- Re: Debian Membership
  - From: Frans Pop <elendil@planet.nl>
- Re: Debian Membership
  - From: Leo 'costela' Antunes <costela@debian.org>
- Re: Debian Membership
  - From: Frans Pop <elendil@planet.nl>

Prev by Date: Re: Debian Membership
Next by Date: Re: Debian Membership
Previous by thread: Re: Debian Membership
Next by thread: Re: Debian Membership
Index(es):
- Date
- Thread