On 2009-02-15_19:51:11, Tzafrir Cohen wrote: > On Sun, Feb 15, 2009 at 04:33:53PM -0300, Eduardo M KALINOWSKI wrote: > > Tzafrir Cohen wrote: > > > A Debian user should not be expected to install just any .deb file. > > > > > > > Ideally speaking, I'd say this holds for any OS: Users should not just > > install (or click, or run) everything they see. > > > > In practice things happen differently, especially in the Windows world. > > As I have pointed out, there's no real reason for the user interface to > make that operation too simple. After all, you're not really guaranteed > that you'll actually be able to install that package, as you may not > have its dependencies.
This discussion is kind of crazy. I wonder why a producer of malware, would not make sure that his/her package depended only on packages that are already available from official Debian repositories. Or, perhaps, have the initial package patch the user's sources.list to point to an extra special malware repository. Admittedly, most malware producers are really incompetant, but there are also producers of software that automate the production of malware. With these, really stupid people can produce a piece of malware that is a well crafted piece of evil. Debian has already demonstrated initiative in automating package signing, and, no doubt, other security measures of which I am unaware. I suspect that the security is pretty good. Early on, there were powerful organizations that would have benefitted handsomely if Debian had been disrupted, and it wasn't disrupted. But there is always the unknown unknown. -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
