On Thu, 1 Nov 2007, Aniruddha wrote:
On Thu, 2007-11-01 at 11:33 +0100, Guenter Dannoritzer wrote:
In Gentoo/FreeBSD/Debian/Ubuntu/ you don't have to worry about that since the maintainer of that package checks this for you.
Apparently in openSuSE there is no such safety precaution.
It appears to me that you are not worried about security, but driven by affection to a certain distributions.
Off course this isn't a valid argument. Even if I am 'driven by affection to a certain distributions' this has no effect on the validity of my arguments.
No. None of the distributions you mention has a way to prevent the basic idea, that you need to trust somebody (and this multiple somebodies).
Some years ago I got maintainer of the "pavuk"-package. I did major changes in the source code which resulted in a nearly 100% code reworking. Now my pavuk version is in all the major packages (Debian, BSD, SUSE, ...). If I would have included a malicious tool, the chances to detect it are very low except you are highly experienced and I'm to dumb to write such code (as I'm programming nearly 20 years now, already wrote virus checkers and analyzed virues and do networking programming for 10 years now, I doubt that).
So when using pavuk, you need first to trust me. There are probably 3 to 5 people on the world, who did have a deeper look at the source code. Probably 2 of them still are active (one of them am I).
Next you need to trust the package maintainers. E.g. for Debian Petr Czech is probably the only one caring for it. He has little time and for sure does not look at the code I change. Nobody else at Debian looks at the stuff I think. If he would add a security hack, the changes would be very high nobody could detect them (at least for a long time). So you need to trust him also, when you use pavuk.
And when you install it, you probably do not even know, that you need to trust me, him and all the previous pavuk authors (and also the server maintainers, the build server maintainers and lots of other people).
So the idea you describe will only work for commercial companies and also only for a small number of packages and also only to some extend (full code reviews are much to expensive).
The way openSUSE is going now (individual keys, a network of trust, ...) is the best possible solution, as it's the only working way.
Some suggestion I got when writing this.
1) Is it possible to view the packages source files from the point of non-registered users? If not, this should be possible. 2) I would like a "package is downloaded unmodified from xxx" flag for the source packages. 3) A malware code scanner could be introduced, which from time to time scans all the build-service stuff and searches code, which is know to be malware (rootkits, ...)
Ciao