On Tue, 9 May 2000, jeff covey wrote: > individuals, does rpm provide a warning like "This package has not > been prepared by Red Hat. While it's probably fine, we cannot confirm > that it will work with your system. Continue installation? [Y/n]"?
One thing I hear often about .debs is that we basically are the only provider [particularly of the base system], all .debs 'work' with your system. > I'm not asking about them being altered after the fact; I'm just > confirming that a procedure is in place to double-check the official > signed packages to confirm that, for example, a disgruntled employee We have no official auditing of packages, but before we make a stable release the packages are put through alot of testing and investigation, it would be hard for simple attack to get through. Smart Devilish attacks I think could pass into stable undetected if one of our maintainers decided to make one. People do monitor the upload list to make sure that the 'right people' are uploading the 'right packages' which tends to defuse the worst things (like libc6 trojans, etc) > [Debian folks: This is even more of a question for you, since you're > accepting packages from people from all over, who may only have their > reputations, not their jobs and the threat of prosecution, hanging Actually, we go through a fairly intensive ID process before we accept a package from anyone. If someone does decide to do something nasty we will know exactly who it was and depending on local laws they may face prosecution. Look at http://www.debian.org/devel/join/nm-checklist it has some information about this process. > Unfortunately, Joe's package also did something else: It replaced > /bin/rpm with a version that will not install any version of sendmail Unless you sandbox the install scripts this is impossible to prevent :< Jason
