You are not logged in.
My question is a little silly. When a package enters the official repository, is its code checked by the Maintainer? Just saying, just in case there is something strange in it.
Thank you
Last edited by work (2012-04-17 08:43:48)
Offline
I doubt anyone audits the code, but the maintainer should test it to see if it works and doesn't do something silly https://github.com/MrMEEE/bumblebee-Old … issues/123
Offline
When a package enters the official repository, is its code checked by the Maintainer?
Short answer: no.
In practice it is up to the judgement of the individual maintainer, but I doubt anyone ever truly audits code. Some sanity checks are of course done.
Offline
Does the false sense of security from having our packages signed now wash away given the primary attack vector of the upstream source is still wide open?
Offline
If you can't trust what comes from upstream, then don't swim in the river!
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
If you can't trust upstream, why do you trust our developers and TUs? Some of them are known breakage-creators (Allan), some of them may not even exist in real life in any real provable manner (Xyne).
Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.
Offline
Does the false sense of security from having our packages signed now wash away given the primary attack vector of the upstream source is still wide open?
Don't be bitter!
Offline
Last edited by Montague (2015-07-28 02:48:55)
Offline
does this mean that, in order to truly feel safe, an individual/organisation would have to audit *every* piece of code they choose to use, or write everything from scratch, all that work just to have complete control and peace of mind?
Bottomline, yes. It all comes down to "trust on the web" again. If you're using package X by developer Y, you're going to have to trust Y up to a certain degree (or audit every line of code before putting it to use).
Burninate!
Offline
Does the false sense of security from having our packages signed now wash away given the primary attack vector of the upstream source is still wide open?
I lol'd heartily.
Also, if you want to be really kinda sure, look for developers that sign commits to their repos with GPG and whatnot. Then you at least know whom to blame…
Offline
Interesting discussion. Let me see if I understand correctly: does this mean that, in order to truly feel safe, an individual/organisation would have to audit *every* piece of code they choose to use, or write everything from scratch, all that work just to have complete control and peace of mind? That would be an insane amount of work! ...
You have never worked on a system on which lives depend, have you?
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
Montague wrote:Interesting discussion. Let me see if I understand correctly: does this mean that, in order to truly feel safe, an individual/organisation would have to audit *every* piece of code they choose to use, or write everything from scratch, all that work just to have complete control and peace of mind? That would be an insane amount of work! ...
You have never worked on a system on which lives depend, have you?
<OT>The other day I was weeding... MY life certainly depended on it, what with my wife's attitude towards gardens</OT>
And I do recall reading about holes even if software used by the US DOD, so no, I don't think anyone actually DOES the work, though it would seem to be necessary for absolute surety.
Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.
Offline
Interesting discussion. Let me see if I understand correctly: does this mean that, in order to truly feel safe, an individual/organisation would have to audit *every* piece of code they choose to use, or write everything from scratch, all that work just to have complete control and peace of mind? That would be an insane amount of work!
If you can read (and understand and evaluate if it's containing a bug/problem) one line of code per second, then it would take 173 days to read through the linux sources.
Offline
Thank you for all your answers.
My question was silly indeed as I can see
Offline