On 06/07/2009 06:33 PM, simplejack wrote: > Is sourceforge (or any of the other repositories for open source software) > actually doing a compile and compare of uploaded source code to ensure that > uploaded binaries are legitimate? > > I know, I know: I'm lazy. Why should the processing burden be centralized > vs. distributed, but having a central body actually signing off on the > legitimacy of the files they are sending would go a long way to reassuring > it's users.
I don't believe that sourceforge (or any other major free software
service provider) does this.
however, most gnu/linux distributions do. If you want a centralized
software aggregator who cryptographically signs off on packages at their
own distribution step, you should install debian or ubuntu (i know they
do this, through secure apt) or fedora or gentoo (i'm pretty sure they
do). I can't speak for other distros.
The usual caveats apply, of course: trusting the distro is often the
same as trusting the weakest link in the chain -- the most sloppy
developer with commit privileges to the distro, or the most sloppy
upstream developer, or the least-secured machinery in the chain between
you and the original developer who wrote the code.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
