On Wed, 2 Apr 1997, [iso-8859-1] Nicolás Lichtmaier wrote: > On Wed, 2 Apr 1997, Bruce Perens wrote: > > > Unfortunately, I feel that Debian must bear the cost of certification > > of maintainers and original authors. Unless I can tell someone I know > > where a program came from, no other security procedures can be trusted > > to have any effectiveness whatsoever. > > Yes, they are. Testing, and revising developers diffs. If you could check > package MD5 (someday we'll be able to do this =) ), you'll only need to > see the diff.gz to check for security problems (Asuming we can trust the > mainstream developer). > The proble left is: The .deb uploaded can be generated by a source not > included in the source package. It would be great if gcc placed some kind > of signature in binaries... but it doesn't... So.. what can we do? I say: > let's make all developers upload only the source versions of their > packages! An automated script can compile all the packages in some trusted > environment.
I agree 100% with this approach. If the "pristine" source is not uploaded by the developer, there is less source to review. The same type of automation is needed by users. I would love to have a package that checks my dpkg database and recompiles all installed programs in the background. It should create a deb package by default. This would be great for getting all the binaries optimized for a machine. My first stab at Debian was with a pre-1.1 disk set. It was compiled for 486 and said "giving up" on my 386 test box. I had to switch my hardware around to evaluate Debian (well worth the hassle). Such an automated system would correct such oversights. The recent bo disks setup some unknown owner:group combinations. This could possibly be prevented by checking against the base passwd and group files. As far as building programs in general goes, I think everybody should do a make of Perl at least once. It is a great example of how to configure, build, test, and install a package. Paul Wade - Greenbush Technologies Corporation http://www.greenbush.com/cds.html Linux CD's sent worldwide
