The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Changing the way we deal with source archives

To: Bruce Perens <bruce@pixar.com>
Subject: Re: Changing the way we deal with source archives
From: Philippe Troin <phil@fifi.org>
Date: Fri, 07 Mar 1997 21:31:06 -0800
Cc: Philippe Troin <phil@fifi.org>, Dale Scheetz <dwarf@polaris.net>, Mark Eichin <eichin@cygnus.com>, debian-private@lists.debian.org, Michael Alan Dorman <mdorman@calder.med.miami.edu>
In-reply-to: Your message of "Fri, 07 Mar 1997 21:15:00 PST." <m0w3ETs-00MKNhC@golem.pixar.com>
Resent-cc: recipient list not shown: ;
Resent-date: 8 Mar 1997 05:34:46 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"odQU62.0.jL.rfF8p"@debian>
Resent-sender: debian-private-request@lists.debian.org

On Fri, 07 Mar 1997 21:15:00 PST Bruce Perens (bruce@pixar.com) wrote:

> From: Philippe Troin <phil@fifi.org>
> > The purpose of deletion of to make the source smaller.
> 
> I understand. I'm not sure we should be doing that.

For my previous example of obscure functionality, I agree we could do 
leave them. But duplicating some code...
I've found that more and more source you can find for linux which 
depend on external libraries comes with the libraries with them. This 
has the advantage for the Slackware average user just to be able to 
type make and let the thing compile instead of worrying about which 
version of the shared libs it has, upgrading them, etc, etc...

> > I don't really understand all this recent paranoia, and what's behind what
> > you call traceability...
> 
> Well, the theory is that anyone who wants to can slip a trojan horse into
> the system. We can't review all of the code, so we at least want to be
> able to verify that we got the package unmodified from its author, and we
> want it to be really easy to see how Debian changed the package.

I know I'll restart the debate, but if we allow the .tar.gz signature 
to be changed (for toplevel name modifications purposes), what's the 
problem with allowing changes within the source tree.
Better, why not making mandatory for any changes not traceable (yep, 
it's the latest buzzword !) with a diff file (that is filename 
changes, deletions, probably others) to provide a script which will 
convert the source tree into the debianized source tree ?

> And when did the paranoia start? For many people it started when a virus
> popped up on Linux. A virus called "Bliss", as in "Ignorance is Bliss".
> However, for me it started a lot earlier. I've been talking about how to
> fight trojans for a long time.

As far as I understood the bliss problem, this came from the fact that the executable was suid root (form libsvga purposes), and it didn't drop the privileges early enough.
For the general paranoia syndrome, I think that hackers have much easier ways to get into a networked machine than changing source packages... But you're allowed to disagree...

Phil.

Follow-Ups:
- Re: Changing the way we deal with source archives
  - From: kai@khms.westfalen.de (Kai Henningsen)

References:
- Re: Changing the way we deal with source archives
  - From: bruce@pixar.com (Bruce Perens)

Prev by Date: Re: POSIX test-harnesses availability (WAS: [RFC] Restructuring of the Debian Project)
Next by Date: Re: [RFC] Restructuring of the Debian Project
Previous by thread: Re: Changing the way we deal with source archives
Next by thread: Re: Changing the way we deal with source archives
Index(es):
- Date
- Thread