[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


On Wed, 2 Apr 1997, Bruce Perens wrote:

> Unfortunately, I feel that Debian must bear the cost of certification
> of maintainers and original authors. Unless I can tell someone I know
> where a program came from, no other security procedures can be trusted
> to have any effectiveness whatsoever.

 Yes, they are. Testing, and revising developers diffs. If you could check
package MD5 (someday we'll be able to do this =) ), you'll only need to
see the diff.gz to check for security problems (Asuming we can trust the
mainstream developer).
 The proble left is: The .deb uploaded can be generated by a source not
included in the source package. It would be great if gcc placed some kind
of signature in binaries... but it doesn't... So.. what can we do? I say:
let's make all developers upload only the source versions of their
packages! An automated script can compile all the packages in some trusted

Nicolás Lichtmaier.-  | Try visiting #debian in Undernet (us.undernet.org)
nick@feedback.com.ar  | The channel of the debian developers =)

Reply to: