Whom should I put my trust?

Axel Thimm Axel.Thimm at physik.fu-berlin.de
Mon Nov 24 22:54:06 UTC 2003 

On Tue, Nov 25, 2003 at 12:12:12AM +0300, Timothy Ha wrote:
> Thank you!
> 
> I still have some questions (not doubts): With thrilling stories like 
> someone break into Linux kernel source, how do you guarant the quality 
> of the repositories? Security updates, system tools and so on are there.

If someone alters the upstream sources without the upstream developers
noticing it, it is hardly possible to audit it on the packagers'
level. You can only evade this with a full source code review and
reviewing all changes thereafter, which means you need to throw lots
of engeneering time at it, which probably only NSA can afford.

> Will Redhat be some guarantee to all these things?

No, not for Red Hat external resources, and possibly not even for the
core set of packages. Maybe some critical packages like kernel and
glibc do get full source code review, but I doubt this can be done for
all O(1000) packages in a typical RH base distribution.

Having said that, RH has a very good record of security audits, as
well as the other mentioned repos until now (I remeber the last
openssh security update being done by at least 3 repos simultaneously,
without the repos having offered openssh previously).

But, hey, how can you even trust it is the sender who writes this
lines, and who's that guy looking through your window? ;)

> Phillip Compton wrote:
> 
> >On Mon, 2003-11-24 at 12:31, Timothy Ha wrote:
> > 
> >
> >>What are more or less official repositories for Fedora?
> >>
> >>fedora.us + freshrpms.net ?
> >>
> >>   
> >>
> >
> >fedora.us is my favorite 
> >
> >freshrpms.net, dag, and ATrpms are all trustable sources. 
> >
> >jpackage is also a good source if you're looking for java related
> >packages.
> >
> 
> 
> 

-- 
Axel.Thimm at physik.fu-berlin.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20031124/a375c99b/attachment-0001.sig>

More information about the fedora-list mailing list