Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Permalink for comment 400179
To read all comments associated with this story, please click here.
RE[5]: Audit packages
by lemur2 on Thu 17th Dec 2009 22:14 UTC in reply to "RE[4]: Audit packages"
Member since:

Sure. No big disagreements there. Yet, the packagers seldom audit the actual source code from which the binary is packaged.


That part is up to the original project itself.

By "project", I mean an open source collaborative development project, such as KDE, or GNOME, or Apache, or Mozilla, or whatever.

The projects audit their source code and submissions to their source coe.

The distributions audit that that source code faithfully gets on to end users systems.

Neither party does the work of the other. It is a collaboration involve multiple, independent individuals, all of who have an interest in ensuring the purity of the code.

It is also like a double-blind. No one malicious person (who might have an aim to infect end users systems with malware) gets to push the code the whole way through to end users systems.

Finally ... don't forget about the perfect record of this system. The proof is in the pudding, as they say.

Reply Parent Score: 2