On 5/16/2011 1:43 PM, John R Pierce wrote:
> On 05/16/11 11:24 AM, Les Mikesell wrote:
>> it is somewhat unsettling to think that the
>> project itself considers that to be a problem.
>
> consider what might happen if a core build server for a project as
> widely used as centos gets penetrated and carefully targetted to slip
> trojans unnoticed into the final product.... this woudl be a holy grail
> to the sort of international espionage that is taking place today.
>
> be scared, be very scared.
Yes, but assuming they eat their own dog food and are running the same
thing we are, if their servers are penetrated, yours will too even
before whatever they are building ships. And it is something that
debian seems to be able to handle. In any case, with full automation it
would be easy enough to duplicate the final build on a trusted server
and compare the results before distribution. Or for someone else to do
it to verify from an outside perspective.
--
Les Mikesell
lesmikesell at gmail.com