On Wed, 2 Apr 1997, Bruce Perens wrote: > Unfortunately, I feel that Debian must bear the cost of certification > of maintainers and original authors. Unless I can tell someone I know > where a program came from, no other security procedures can be trusted > to have any effectiveness whatsoever.
Yes, they are. Testing, and revising developers diffs. If you could check package MD5 (someday we'll be able to do this =) ), you'll only need to see the diff.gz to check for security problems (Asuming we can trust the mainstream developer). The proble left is: The .deb uploaded can be generated by a source not included in the source package. It would be great if gcc placed some kind of signature in binaries... but it doesn't... So.. what can we do? I say: let's make all developers upload only the source versions of their packages! An automated script can compile all the packages in some trusted environment. -- Nicolás Lichtmaier.- | Try visiting #debian in Undernet (us.undernet.org) [EMAIL PROTECTED] | The channel of the debian developers =)