On Fri, 2006-04-14 at 13:04, Eric Enright wrote: > That would work for source code, but would it for machine code? How > could one peer review a binary package for anything other than "does > what it says"? Going with the example Dennis gave earlier, if someone > introduced a back door into something, say, MySQL, it could prove > difficult to pick up with any amount of review.
Developers don't build the bits which get packaged and distributed.. Developers check in source code (and, for some consolidations, patches to source code which are applied automatically during the build). In a tarball+deltas build model (which is used for at least the SFW and Gnome consolidations as well as for a bunch of the package aggregators like pkgsrc, debian, etc., use -- I can't comment on blastwave as I've never attempted to look under the covers) you can have reasonable assurance that: - the tarball is what the upstream provider actually distributes - the tarball hasn't changed (via a cryptographic hash of the base tarball in the package-building metadata) - there aren't changes that can't be thoroughly explained in the changes applied to the upstream tarball. So, of course, there can be bugs, etc., in the upstream tarball but it's at least difficult to introduce malicious changes via packaging and patches applied via the package aggregator. - Bill _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org