RE: Guarding against evil software installation scripts?
> I don't see a clear path to doing this the "right" way, where chaos is
> prevented by something more substantial than a social convention.
>
> I have to admit that the social convention is working very well at the
> moment, though.
> > --
> Tim Freeman
> tim@fungible.com
At some point you have to "trust". Unless you're ready to read every line of code, every script, yourself every time you install anything, trust is explicit.
I "trust" binary .deb's from the Debian archives and x.debian.org mirrors. I "trust" .deb's and .rpm's when I get them from sources pointed to by their creators. I really like PGP, GPG, MD5 and other signatures on/with binary packages, at least it gives me a clearer false sense of security.
At a stretch, I'll even run a game demo or some such binary as myself which I pull down from somewhere that looks like fun.
Yes, the social convention is working very well indeed. A single source build that many people use (ftp.debian.org, ftp.kde.org, etc) also means that if anyone finds a problem in it and does something about it, they do me good too by making the next apt-get upgrade more than just exercise for my modem.
Reputation counts. I'm sure that if a maintainer was discovered to have uploaded code with such things in it, that maintainer would loose coolness points galore.
Darn, second ramble in two days. Your pardon.
Curt-
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: