Re: Protections against a mad maintainer?
On Wed, 11 Sep 1996, J.H.M.Dassen wrote:
> > It just occured to me that any evil intentioned or mad maintainer could add
> > rm -rf /
> > or anything of this sort in a postinst script.
>
> Yes. Or hide stuff in the binaries. You need root permissions to install
> stuff in /bin etc.
>
> > I just would like to know what kind of protection debian could offer against
> > such an unpleasant event. I am sure Bruce cannot afford to be very picky in the
> > choice of maintainers (there are orphan packages crying for one).
> >
> > This is the kind of argument against Debian being used at large in my
> > institute, the result being that half man pages are missing, even if you have
> > such a complete manpath as
>
I would argue that Debian's large and diverse development group provides
better protection from this kind of activity than smaller, closed
development groups. This gives us a large, diverse group of testers. It is
very unusual for a package to move from unstable to stable without someone
trying it out. Because of the new pgp signatures, only one person is
responsible for the contents of the package. This makes it unlikely that
someone smart enough to build a package would not understand their
identifiability. This means that the likelyhood of a "nasty" getting out
is small, and the identification of the perp is certain.
Tell your institute that Debian is better protected from this kind of
event than most Linux distributions.
Luck,
Dwarf
------------ --------------
aka Dale Scheetz Phone: 1 (904) 877-0257
Flexible Software Fax: NONE
Black Creek Critters e-mail: dwarf@polaris.net
------------ If you don't see what you want, just ask --------------
Reply to: