Hi Hakan,

> everything becomes a suspect!  including the folks working on the project...  

Branching off-topic slightly, but note that the "overly trusting
publishers" issue is not limited to proprietary or antivirus
related code.

Furthermore, folks working on a project do not even need to have
any malicious intent; they could "just" have had their computers
compromised, or even be subject to blackmail or other similar

Taking steps to reduce the effectiveness such of attacks (such as
ensuring they are reliably detected) is one step to ameliorate
this, and is something the Reproducible Builds project is working

  [0] https://reproducible-builds.org/

Best wishes,

     : :'  :     Chris Lamb
     `. `'`      la...@debian.org / chris-lamb.co.uk

Reply via email to