* Henning Makholm ([EMAIL PROTECTED]) [031206 13:25]: > Scripsit Goswin von Brederlow <[EMAIL PROTECTED]> > > If a package is compromised we can proof that the DD of the package > > either is malicious or incompetent. > Say, we just had a major compromise on certain Debian machines. Pray > tell, who do you think this proves is malicious or incompetent? We'd > certainly want to toss out the culprit ASAP.
IMHO there can also be a third explanation: "Bad luck". But this also nullifies the trust in any keys on any compromised machine - and the administrators did replace the keys. (And, to be honest: Perhaps one should discuss whether the kernel-team would need some security team, like we have here at Debian. But speaking what other should do is always very easy, and leads mostly to nothing than hot air. For this cause, I didn't start and don't want to say anything more to this topic. If someone with profound security knowledge would want to help out there, this would be a much better starting point for any discussion.) Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
