On Thu, 2007-11-01 at 15:29 +0100, Guenter Dannoritzer wrote:
On Thu, 2007-11-01 at 11:33 +0100, Guenter
If you are really concerned about security you have to go the whole way.
The first step is to make sure the source is clean. Then check that the
build was done with that clean source and not manipulated. Finally that
the package you are installing is really the one that got build with the
That's what the package maintainers do.
First, what makes you trust a package maintainer from any other
distribution more than a package maintainer from openSUSE? Unless you
know a person personally I don't see any difference.
Like I said; I trust the openSUSE package maintainers. I also trust
packman, vlc, Nvidia & ATI repo's. However I have trouble determining
whether I can trust certain (most notably the home:*) repositories. And
again this isn't a problem for me, but it can be for the unsuspecting
users that add repositories with '1-Clik'.
Right now I have the home:darix and the home:wberrier repos installed (I
thought because I wanted kiso). How can I determine if these are safe
repo's (not only in regard to malware but also in regard to breaking my
system, overwriting config files etc)?
And what about the Games repo's? Who maintains these?
Second, I am questioning whether there is any package
checks a software for malicious parts. There are people that check for
security breaches in software, but they are not necessarily package
maintainer. I would assume that the major time a package maintainer
spends in getting the software to build and fit into the distribution.
Like I said, even if this isn't the case the whole structure in which a
package moves from stable to unstable should provide enough security.
Please adhere to the OpenSUSE_mailing_list_netiquette
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-buildservice+help(a)opensuse.org