On Thu, Aug 31, 2006 at 05:41:11PM -0700, Russ Allbery wrote: > Matej Cepl <[EMAIL PROTECTED]> writes: > > > No, it is matter of accountability and being able to tell to the bank > > (mentioned in Martin's presentation) that we know who compiled the > > package and we have made reasonable precautions to be sure there are no > > trojans inside. > > Rebuilding every package really doesn't buy you that much in the way of > security. It makes it harder to hide what you did, but only harder; a > rogue uploader could obfuscate a trojan in source code rather well. In > the end, we still trust people in the keyring. About the only thing you > gain is the potential ability to do more detailed post-mortem analysis > after something already exploded.
And the amount of breakage caused by actual mistakes of the uploader, like having random sets of non-official libraries installed and such. Friendly, Sven Luther -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
