Re: Does Debian need to enforce a better Security policy for packages?

To: debian-security@lists.debian.org
Subject: Re: Does Debian need to enforce a better Security policy for packages?
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 23 Oct 2001 07:24:02 -0500
Message-id: <20011023072402.A27343@debian.org>
Mail-followup-to: Colin Watson <cjwatson@debian.org>, debian-security@lists.debian.org
In-reply-to: <20011022184619.A8341@dat.etsit.upm.es>; from jfs@computer.org on Mon, Oct 22, 2001 at 06:46:19PM +0200
References: <20011022184619.A8341@dat.etsit.upm.es>

On Mon, Oct 22, 2001 at 06:46:19PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> 	I just made an empty package with dh_make with only a postinst
> having 'rm -rf /'. Lintian says:
> 
> $ lintian test-rm*deb
> E: test-rm: description-is-dh_make-template
> E: test-rm: helper-templates-in-copyright
> W: test-rm: readme-debian-is-debmake-template
> W: test-rm: unknown-section unknown

Lintian only checks for mistakes. If you make it try to check for
maliciousness, then the malicious packager will just make his/her trojan
more obscure to foil it - thus making it harder for the casual observer
to tell that there's a trojan there.

This is a social problem. I don't think a purely technical solution is
appropriate.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to:

References:
- Does Debian need to enforce a better Security policy for packages?
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: ssh vulernability
Next by Date: Re: Does Debian need to enforce a better Security policy for packages?
Previous by thread: Re: Does Debian need to enforce a better Security policy for packages?
Next by thread: Multiple IP addresses
Index(es):
- Date
- Thread