On Sun, 4 Nov 2007, Rajko M. wrote:
Scanning binaries for known problems using some antivirus/rootkit software, before actually publishing, even in home:* repositories.
I personally do not like this idea much, because it can cause the risk that people believe that software is "good" if the scanner does not find anything inside.
However, any scanner what helps manually reviewing is of course very helpfull.
The scanner solution will remove some number of possible attacks. Though, they will not help for mentioned in this mail: http://lists.opensuse.org/opensuse/2007-11/msg00422.html This is out of scope of scanners, but number of people able to create it is smaller than for known attacks.
Such a scanning system from my point of view is no public interface. This should run in background by server administrators (either scanning binaries or sources).
The build service users should only get to know it, when he tries nasty things and an administrator is contacting him to tell him, that he has been discovered (or else circumvention is no problem).
So it gets an aditional security improvement without negative side effects. Like in "We trust you, but a bit control can't be wrong :-)".
Ciao