On Saturday 30 January 1999, at 23 h 31, the keyboard of Larry Wilson <[EMAIL PROTECTED]> wrote:
> The professor asked me to find out : > "What is distinctive about Debian Linux development that affects > its assurance? " As a recent Debian developer (Sep. 1998), let me give my opinion: What is distinct with Debian is that: - there is no separation between "contrib" and not-contrib (like RedHat, but also *BSD, does). All packages have the same standards of quality, as described in the Debian policy <http://www.debian.org/doc/debian-policy/>. This has some implications about security: in RedHat, non-contrib packages are checked by RedHat, for the rest, it is up to you. Since you cannot really work with just non-contrib packages, you easily install non-trusted binaries. - all developers are registered and there is at least some attempts to try to be sure of their identity (I had to sent a scan of my passport, PGP-signed of course). The names are public <http://www.debian.org/devel/people>. You know who made your package. - all packages are PGP-signed by a developer. (The public keys are... public.) - all bugs are public <http://www.debian.org/Bugs>, meaning that a lazy maintainer cannot conceal a security problem in one of its packages.