On Tue, Jun 24, 2008 at 11:31:25PM -0500, Nicolas Williams wrote: > On Wed, Jun 25, 2008 at 09:50:02AM +0530, Venky wrote: > > On Tue, Jun 24, 2008 at 11:07:35PM -0500, Shawn Walker wrote: > > > Yes, but again, that's where policy comes in. As the recent debian > > > problem with OpenSSL shows, just because you have a fully-repeatable > > > build recipe and source does not guarantee that a security problem > > > won't be introduced. > > > > Perfect example, thank you! Do you think this flaw would have been > > discovered if Debian did not have a policy of requiring source? > > Actually, yes. People certainly could (and should) have noticed the > problem without having to inspect source.
Okay, now that would be amazing! The actual flaw in this case just made the number of possible random number seed values drop to 32,768. I'd be stunned if someone figured this out without looking at the source. Venky. -- One hundred thousand lemmings can't be wrong. _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
