On Thu, 2007-11-01 at 11:33 +0100, Guenter Dannoritzer wrote:
On Thu, 2007-11-01 at 00:39 +0100, Guenter Dannoritzer wrote:
Would you trust a software, that you compile yourself from source on your computer, more than a RPM package of that software that you got from the build service? How would you tell that the source does not contain malicious parts?
In Gentoo/FreeBSD/Debian/Ubuntu/ you don't have to worry about that since the maintainer of that package checks this for you.
Apparently in openSuSE there is no such safety precaution.
It appears to me that you are not worried about security, but driven by affection to a certain distributions.
Off course this isn't a valid argument. Even if I am 'driven by affection to a certain distributions' this has no effect on the validity of my arguments.
Nonetheless I will address your argument. I do think that Debian (Etch) is completely unusable because of it's inconsistent and buggy nature. I think that FreeBSD is great for servers but unusable for desktop (try upgrading xorg and your in for a days work. Gentoo is fine but only useful for absolute beginners (who don't want to install software themselves) or for expert users.
I could argue that I do not trust any of the distributions you just named, because non of their developers is accountable to any organization. In contrast the core developer of openSUSE are employees and accountable to their company.
If you are really concerned about security you have to go the whole way. The first step is to make sure the source is clean. Then check that the build was done with that clean source and not manipulated. Finally that the package you are installing is really the one that got build with the build service.
That's what the package maintainers do.