On Sat, 3 Aug 2013 10:48:52 +0200 Paul Wise <[email protected]> wrote: > On Sat, Aug 3, 2013 at 10:14 AM, Daniel Sousa wrote: > > > I was reading this [1] article and it brought a question do my > > mind: How hard would it be for the FBI or the NSA or the CIA to > > have a couple of agents infiltrated as package mantainers and > > seeding compromised packages to the official repositories? > > Probably easy. > > > Could they submit an uncompromised source and keep a small patch > > that they apply before building and sending it to the repository? > > Or is the building process done on Debian servers? > > They could. All of the Architecture: all packages are built on > developer machines. For most packages, at least one architecture for > each architecture-specific binary package has been built on developer > machines. In practice this means arch all, amd64 and some i386 > packages are built on developer machines. We have been talking about > changing this for a long time and there is a plan but the relevant > people haven't had time to implement it yet. >
It is easy to monitor all internet traffic on a test system. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/20130807031052.455dedca@fx4100
