Russ Allbery writes: > Source-code trojans are more dangerous because people fear binaries but > think that if they've compiled it, it's fine, when the only real > distinction is between code that's been audited and code that hasn't. > Binaries built and uploaded by a maintainer who audits the upstream code > are significantly safer than uncompiled source code uploaded by a > maintainer who doesn't.
This compares apples (a maintainer who audits the upstream code) to oranges (one who doesn't). Even given human error, the approach to auditing a source code package is reasonably well-understood. For binary packages, it is not, but it is clear that it is much more labor-intensive. Michael Poole -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
