On Thu, 2007-11-01 at 15:29 +0100, Guenter Dannoritzer wrote:
Aniruddha wrote:
On Thu, 2007-11-01 at 11:33 +0100, Guenter Dannoritzer wrote:
[...]
If you are really concerned about security you have to go the whole way. The first step is to make sure the source is clean. Then check that the build was done with that clean source and not manipulated. Finally that the package you are installing is really the one that got build with the build service.
That's what the package maintainers do.
First, what makes you trust a package maintainer from any other distribution more than a package maintainer from openSUSE? Unless you know a person personally I don't see any difference.
Like I said; I trust the openSUSE package maintainers. I also trust packman, vlc, Nvidia & ATI repo's. However I have trouble determining whether I can trust certain (most notably the home:*) repositories. And again this isn't a problem for me, but it can be for the unsuspecting users that add repositories with '1-Clik'.
Right now I have the home:darix and the home:wberrier repos installed (I thought because I wanted kiso). How can I determine if these are safe repo's (not only in regard to malware but also in regard to breaking my system, overwriting config files etc)?
And what about the Games repo's? Who maintains these?
Second, I am questioning whether there is any package maintainer that checks a software for malicious parts. There are people that check for security breaches in software, but they are not necessarily package maintainer. I would assume that the major time a package maintainer spends in getting the software to build and fit into the distribution.
Like I said, even if this isn't the case the whole structure in which a package moves from stable to unstable should provide enough security.