Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
[opensuse-buildservice] Re: How secure is openSUSE build service?
  • From: "Eric M. Gearhart" <eric@xxxxxxxxxxxxx>
  • Date: Thu, 1 Nov 2007 06:01:21 +0000 (UTC)
  • Message-id: <1130715.71193896881705.JavaMail.root@xxxxxxxxxxxxxx>
For Gentoo/FreeBSD/Debian/Ubuntu/ there aren't additional repositories
necessary since these distributions maintain 14000-22000 packages
themselves. openSUSE on the other hand forces you to use 3r party
repositories to get basic functionality working (see
http://opensuse-community.org/Restricted_Formats/10.3 ).

Not true. The same restricted formats are unavailable in
Gentoo/FreeBSD/Debian/Ubuntu until you add 3rd party repositories, which were
built and created by people that aren't part of that distribution's "offical
team." You still have the same problem.

If you're this paranoid about third-party packages you'd do best to buy a
commercial distro such as SLED 10 and only update from its official update
source. It seems anything built by the community-at-large would not be trusted
by you... it would be nearly impossible to achieve the level of integrity that
you're asking for, unless a company was involved that verified each package
didn't do anything nasty (that's why I mention a commercial distro). Just doing
an md5 sum of a package and signing it doesn't guarantee that the packager
still isn't doing something evil in the package itself... you'd still have to
trust the package maintainer at the end of the day.

Just my .02
--
Eric
http://nixwizard.net

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups