also sprach Russell Coker <russell@coker.com.au> [2004.09.24.1653 +0200]: > But what if the source is modified? Taking over a DD's machine > and modifying the source tree that is used to make the .diff.gz > shouldn't be impossible. We don't have any source auditing > processes that could deal with this. Finding a security breach in the source is way easier than if it's just present in the binary but has been cleaned from the source subsequently. As I said, we won't manage to guard against all security issues. However, we should guard against those where the effort-effect ratio is low, and I think rebuilding binaries for all arches is rather low effort. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Attachment:
signature.asc
Description: Digital signature