On Fri, Sep 28, 2007 at 09:05:59AM -0700, Don Armstrong wrote: > On Fri, 28 Sep 2007, Martin Uecker wrote: > > You are seriously stating that is as easy to hide a trojan in the > > source code as in the binary? > > Consider the fact that we've already had such a case,[1] whereas we've > not (to my knowledge) distributed a trojaned binary. I'm not sure > which is easier to hide, but it seems that making a source trojan is > at least more frequent if not easier to create.
I would not call this a trojan. But I guess I have to change my opinion anyway. Manoj is right: Trojaned upstream sources are a major security risk, against which exact binary matches do not help. But I still think they would still eliminate a lot of other risks, which should IMHO not be ignored. There is some other thing I do not like about the way Debian packages work. Every package I install can actually completely compromise my system, because the maintainer scripts are run as root. It would be nice if normal packages would not be allowed to have maintainer scripts and would only be allowed to install binaries in certain paths. Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
