Re: How secure is the openSUSE Build Service?



On Monday 05 November 2007 11:40:05 pm Thomas wrote:
Only if you assume *every* upstream developer is honest and/or trust the
integrity of the Debian/Gentoo/FreeBSD servers... Hello rsync! ;-)

I have to disagree. Trusting every upstream developer, and all the admins who
maintain the systems (build farms, download servers, etc.) is clearly
impossible. Both groups are largely unknown to end users.

Far more important is the level of trust you place in the integrity with which
the project is run. If a download server is compromised (which has happened)
are the admins both skilled and forthcoming about fixing the problem, and
communicating what packages might be at risk? Is a software project developer
community careful about how they evaluate patches, do they reliably backport
patches against a development release to their stable release when it's
appropriate, etc.

In general terms, trust isn't binary, but a continuum, and I'd regard a
well-run distribution with no third-party repositories as safer.

Am Freitag 02 November 2007 schrieb Eduardo Tongson:
Correct.

Does this mean that a distro that doesn't require 3rd party
repositories (Debian/Gentoo/FreeBSD) is safer?



Relevant Pages

  • security best practice
    ... I'd like some advice from the admins. ... I want my developer users to be able to access all of the ... various tomcat files, from logs and conf stuff to startup scripts. ...
    (Debian-User)
  • Re: GC performance - GC fragility
    ... developer to be stupider that he already is, somehow enables him to write ... safer code... ...
    (borland.public.delphi.non-technical)