On Sat, Jan 18, 2014 at 08:30:49PM +0100, Marco Saller wrote: > i am not sure if this question has been asked or answered yet, please do not mind if i would ask it again. > Is it possible that the NSA or other services included investigative software in some Debian packages? It is absolutely possible. It's even possible that you yourself have added such software to Debian! Can you prove that you haven't? That line of thinking leads to madness. The only rational conclusion, once you start down that path, is to turn off your computers and move to a remote cabin in the wilderness. It will never be possible to prove that there is no malicious software in Debian or in any other OS. Beyond that, it will never be possible to prove that there is no malicious *hardware* running executing your OS. We can and do take care to ensure that all changes to Debian are made by people authorized to make those changes. (Package uploads must be signed by a Debian developer.) We can and do take care to ensure that that the packages you download have not been modified in transmission (signing of Release files, checksums on Packages files and on packages themselves.) Etc. If deficiencies are found in our mechanisms or policies, then we take steps to improve them. If violations are found, then we take steps to audit for impact and resolve any potentially malicious actions that we identify. We take great care to minimize the likelihood of any sort of backdoor or malicious code in Debian, but none of this can provide 100% proof that such a thing doesn't exist. Anybody that claims that they can prove otherwise, for Debian or any other OS, is either lying or ignorant. noah
Attachment:
signature.asc
Description: Digital signature