[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


On Wed, 2 Apr 1997, [iso-8859-1] Nicolás Lichtmaier wrote:

> On Wed, 2 Apr 1997, Bruce Perens wrote:
> > Unfortunately, I feel that Debian must bear the cost of certification
> > of maintainers and original authors. Unless I can tell someone I know
> > where a program came from, no other security procedures can be trusted
> > to have any effectiveness whatsoever.
>  Yes, they are. Testing, and revising developers diffs. If you could check
> package MD5 (someday we'll be able to do this =) ), you'll only need to
> see the diff.gz to check for security problems (Asuming we can trust the
> mainstream developer).
>  The proble left is: The .deb uploaded can be generated by a source not
> included in the source package. It would be great if gcc placed some kind
> of signature in binaries... but it doesn't... So.. what can we do? I say:
> let's make all developers upload only the source versions of their
> packages! An automated script can compile all the packages in some trusted
> environment.

I agree 100% with this approach. If the "pristine" source is not uploaded
by the developer, there is less source to review. The same type of
automation is needed by users. I would love to have a package that checks
my dpkg database and recompiles all installed programs in the background.
It should create a deb package by default. This would be great for getting
all the binaries optimized for a machine. My first stab at Debian was with
a pre-1.1 disk set. It was compiled for 486 and said "giving up" on my 386
test box. I had to switch my hardware around to evaluate Debian (well
worth the hassle). Such an automated system would correct such oversights.
The recent bo disks setup some unknown owner:group combinations. This
could possibly be prevented by checking against the base passwd and group

As far as building programs in general goes, I think everybody should do a
make of Perl at least once. It is a great example of how to configure,
build, test, and install a package.

Paul Wade - Greenbush Technologies Corporation
Linux CD's sent worldwide

Reply to: