[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-security
Subject:    Re: Rebuilding packages on *all* architectures
From:       martin f krafft <madduck () debian ! org>
Date:       2004-09-25 8:54:34
Message-ID: 20040925085434.GB11169 () fishbowl
[Download RAW message or body]

also sprach Russell Coker <russell@coker.com.au> [2004.09.24.1653 +0200]:
> But what if the source is modified?  Taking over a DD's machine
> and modifying the source tree that is used to make the .diff.gz
> shouldn't be impossible.  We don't have any source auditing
> processes that could deal with this.

Finding a security breach in the source is way easier than if it's
just present in the binary but has been cleaned from the source
subsequently. As I said, we won't manage to guard against all
security issues. However, we should guard against those where the
effort-effect ratio is low, and I think rebuilding binaries for all
arches is rather low effort.

-- 
Please do not CC me when replying to lists; I read them!
 
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, and user
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

["signature.asc" (application/pgp-signature)]
-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


[prev in list] [next in list] [prev in thread] [next in thread]