Re: How secure is the openSUSE Build Service?



On Tuesday 06 November 2007 10:16:49 pm Thomas wrote:
Am Mittwoch 07 November 2007 schrieb Eduardo Tongson:
Aniruddha was asking which is safer. There is a difference between 3rd
party repositories and official repositories. If you do not trust the
distribution's official repositories your alternative would be Linux
from Scratch and individually checking source tarballs.

Which is - of course - very impracticable. :)

I think it is *not* less secure. In the case of OSS it doesn't matter
anymore. When you trust several thousands developers around the globe,
hundreds of CVS, SVN, rsync, FTP, HTTP servers used for development and
dozens of distribution then *one* additional layer in the distribution
process doesn't really matter.

It is a matter of trust and not a matter of security.

A matter of trust, not security?!?

That's the most bizarre thing I've heard this week, and it's been a very
strange week. Security is fundamentally about trust, from the very basis of
how we even attempt to build secure systems--cryptographic primitives such as
hash functions.

Go back to fundamentals. What's the purpose of a password? To enable *trust*
that Alice really is Alice.



Relevant Pages