On Sun 17 Feb 2008 17:48:16 Alexander Schmehl wrote: > Well, a rogue hacker would need to be quite skilled to add some kind of > "bad" package. > > Let's assume he has created a bad package and got control over a mirror How about a simpler attack vector: compromise a devel account, and sneak in a patch to be automatically incorporated to a package. Is this feasible? I understand that this case would not reflect what the OP asked about, but still. regards FF