Ok, Just my $00.2
One of the upside of OSS development, though not completely foolproof, is that
since the code is open and viewable that anyone has the potential to spot
coded backdoors. It's also been argued that any OSS developer that was found
to intentionally put a back door into a package he/she built would be cutting
his/her own perfessional throat and essentially (if not actually) be
blacklisted.
Now, if someone does some sneaky redirects or infiltrates a particular file
server and replaces a normal package with a trojaned package then, well thats
all about the admin and how tight he/she can keep the server. They had a
problem with this on one of the devel servers (I think OSDN) in Texas IIRC.
They did catch it, but not until some people/admins download/installed it.
I can't remember what is was but the devel servers admin was getting slammed
bigtime by the community.
Theres should always be IMHO a function to checksig that's ubiquitous in any
Linux program design to install code that is not of origin from the
distribution maker (or just installs code regardless of the origin). Even
more so it shoudl be common practice and expect because a fair amount build
Linux from scratch and relying on a distribution company to ensure this form
of security won't apply to vanilla software. Redirects aren't quite as
likely IMO as infiltrating a server and replacing programs/packages.
Hmmm. Does apt-get/synaptic do a "check-sig"?
Curtis :)