On Fri, 2006-04-14 at 13:04, Eric Enright wrote:
> That would work for source code, but would it for machine code? How
> could one peer review a binary package for anything other than "does
> what it says"? Going with the example Dennis gave earlier, if someone
> introduced a back door into something, say, MySQL, it could prove
> difficult to pick up with any amount of review.
Developers don't build the bits which get packaged and distributed..
Developers check in source code (and, for some consolidations, patches
to source code which are applied automatically during the build).
In a tarball+deltas build model (which is used for at least the SFW and
Gnome consolidations as well as for a bunch of the package aggregators
like pkgsrc, debian, etc., use -- I can't comment on blastwave as I've
never attempted to look under the covers) you can have reasonable
assurance that:
- the tarball is what the upstream provider actually distributes
- the tarball hasn't changed (via a cryptographic hash of the base
tarball in the package-building metadata)
- there aren't changes that can't be thoroughly explained in the
changes applied to the upstream tarball.
So, of course, there can be bugs, etc., in the upstream tarball but it's
at least difficult to introduce malicious changes via packaging and
patches applied via the package aggregator.
- Bill
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
