Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
[opensuse-buildservice] Re: How secure is openSUSE build service?
  • From: Guenter Dannoritzer <kratfkryksqq@xxxxxxxxxxxxx>
  • Date: Thu, 01 Nov 2007 11:33:24 +0100
  • Message-id: <fgca1k$v6n$1@xxxxxxxxxxxxx>
Aniruddha wrote:
On Thu, 2007-11-01 at 00:39 +0100, Guenter Dannoritzer wrote:
[...]
Would you trust a software, that you compile yourself from source on
your computer, more than a RPM package of that software that you got
from the build service? How would you tell that the source does not
contain malicious parts?

In Gentoo/FreeBSD/Debian/Ubuntu/ you don't have to worry about that since
the maintainer of that package checks this for you.

Apparently in openSuSE there is no such safety precaution.


It appears to me that you are not worried about security, but driven by
affection to a certain distributions.

I could argue that I do not trust any of the distributions you just
named, because non of their developers is accountable to any
organization. In contrast the core developer of openSUSE are employees
and accountable to their company.

If you are really concerned about security you have to go the whole way.
The first step is to make sure the source is clean. Then check that the
build was done with that clean source and not manipulated. Finally that
the package you are installing is really the one that got build with the
build service.


Cheers,

Guenter





---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups