Re: Rebuilding packages on *all* architectures
On Mon, Sep 06, 2004 at 10:13:12AM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> Seriously though, all open-source projects have, in one way or another,
> different ways in which trusted parties can introduce trojans. The more
> they approach the bazaar model (vs. the cathedral model) the more the
> risks. It's a known risk of the bazaar model. Even an upstream author's
> trojaned system could introduce a trojan in the source code itself and that
> could be propagated to _all_ distributions including it if it was not
> caught in time [1]. Doesn't a saying go "don't trust code you have not
> written yourself".
I respectfully disagree, that open-source/bazaar models are more at risk
for trojans, or any other kind of corruption for that matter.
Cathedral/closed-source models are more at risk simply because they
contain more and better hiding places. The only other conclusion that
could be made is that Cathedral/closed-source participants are more
morally and ethically inclined, if fact real world evidence points in the
opposite direction. Don't trust those who are unwilling to show you the
source.
--
Doug Jensen
Reply to: