On Sun, Sep 05, 2004 at 06:17:36PM +0200, martin f krafft wrote: > > I was not aware of this, and I consider it a horrible state of > affairs. Seriously, if this becomes public, Debian is in serious > trouble, I think. <ironic> I always believed this to be a public list. </ironic> Seriously though, all open-source projects have, in one way or another, different ways in which trusted parties can introduce trojans. The more they approach the bazaar model (vs. the cathedral model) the more the risks. It's a known risk of the bazaar model. Even an upstream author's trojaned system could introduce a trojan in the source code itself and that could be propagated to _all_ distributions including it if it was not caught in time [1]. Doesn't a saying go "don't trust code you have not written yourself". You could improve the way Debian handles auto-builders [2] and the way developers prepare and submit new packages to reduce the risk, but there's no way you're going to remove it completely. BTW, one of the advantages of the releases freeze is that this kind of unexpected behaviour might be detected and fixed (given enought eyes and testers). Unless, of course, somebody coded a good-enough time bomb that knew when Debian was going to be released before we did, and was stealthy enough until a new version was released. Regards Javier [1] Those Trojans that we are aware of were detected in short notice after the mirror server or source was compromised. [2] Actually, signing releases is not the correct way since auto-bulders run sid and sid is not a signed release. Apt 0.6 might support signed releases but I will not prevent some of the attacks Goswin described.
Attachment:
signature.asc
Description: Digital signature