Hi Hakan, > everything becomes a suspect! including the folks working on the project...
Branching off-topic slightly, but note that the "overly trusting publishers" issue is not limited to proprietary or antivirus related code. Furthermore, folks working on a project do not even need to have any malicious intent; they could "just" have had their computers compromised, or even be subject to blackmail or other similar threats. Taking steps to reduce the effectiveness such of attacks (such as ensuring they are reliably detected) is one step to ameliorate this, and is something the Reproducible Builds project is working towards. [0] https://reproducible-builds.org/ Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-