Re: Why should I trust sources?

[marshal@h9.dion.ne.jp]

>>>>> "Patrick" == Patrick Wiseman <pwiseman@mindspring.com> writes:

    > Being interested in setedit, recently recommended in another
    > thread, I went to

    > http://setedit.sourceforge.net/

    > and found the following advice:

    > An experimental Debian repository is maintained by Ivan, you can
    > add the following to your /etc/apt/sources.list: deb
    > http://setedit.sourceforge.net/debian unstable main

    > I did that and then, duh, thought "why am I trusting this site
    > to download and install software?"  And then it occurred to me
    > that the whole debian philosophy turns on my being that
    > trusting.  (Not that it's unique in that.)

I'm not sure if I really understand your question here.  You have to
trust someone, eventually.  Do you read through all the source code
before compile?  Do you trust that debian's servers haven't been
compromised?  (OpenBSD finally got nailed this year...)  Do you trust
that your compiler hasn't be backdoored?

Or are you talking about that specific deb line?

I guess, in the end, if you don't trust that server, you could build
everything from scratch.  But then you would have to trust the source
code, and your compiler.  Kinda of a no win, if one's ultra paranoid.
Would have to code the compiler in assembly, from scratch, on a chip
you designed, at a fabrication plant you completely controlled...

Or am I COMPLETELY off track here?  If I am, slap me in the face, or
something.  ^_^

Good Luck.

Marshal