Re: Protections against a mad maintainer?

To: debian-user@lists.debian.org, Jean Orloff <orloff@lapp.in2p3.fr>
Subject: Re: Protections against a mad maintainer?
From: bruce@pixar.com (Bruce Perens)
Date: Wed, 11 Sep 96 10:18 PDT
Message-id: <[🔎] m0v0svu-0007vCC@mongo.pixar.com>
Reply-to: Bruce Perens <Bruce@pixar.com>

From: Jean Orloff <orloff@lapp.in2p3.fr>
> It just occured to me that any evil intentioned or mad maintainer could add
>	rm -rf /
> or anything of this sort in a postinst script.
>
> I just would like to know what kind of protection debian could offer against
> such an unpleasant event. I am sure Bruce cannot afford to be very picky in
> the choice of maintainers

This is a problem with any software - commercial or otherwise. How do you
know that a disgruntled Microsoft employee has not planted a booby-trap
in Windows 95? Indeed, several Microsoft products have shipped with viruses.
I think this is more of a problem with commercial software, since there is
much less scrutiny of the source code and the resulting binary programs than
there is with free software.

We identify the maintainers, and we provide security on the master system
so that non-maintainers will not be uploading packages. We encourage
maintainers to PGP-sign uploads, although we can't do it for everyone since
some countries (like France) prohibit encryption. If there ever was a problem,
we'd be able to trace it back to the cause and a criminal prosecution would
be the probable result.

We also have a testing program that goes on continuously. Users are on the
mailing lists the minute a problem comes up.

	Thanks

	Bruce

Reply to:

Prev by Date: re:D-Link DE-220P driver needed
Next by Date: Re: apache package
Previous by thread: Re: Protections against a mad maintainer?
Next by thread: Re: Protections against a mad maintainer?
Index(es):
- Date
- Thread