[LWN Logo]

From: Stephane Bortzmeyer <bortzmeyer@pasteur.fr>
To: lwilson1@radium.ncsc.mil
Subject: Re: Debian Security Issues 
Date: Mon, 01 Feb 1999 14:40:27 +0100

On Saturday 30 January 1999, at 23 h 31, the keyboard of Larry Wilson 
<lwilson1@radium.ncsc.mil> wrote:

>   The professor asked me to find out :
>   "What is distinctive about Debian Linux development that affects
> its     assurance? "

As a recent Debian developer (Sep. 1998), let me give my opinion:

What is distinct with Debian is that:

- there is no separation between "contrib" and not-contrib (like RedHat, but 
also *BSD, does). All packages have the same standards of quality, as 
described in the Debian policy <http://www.debian.org/doc/debian-policy/>. 
This has some implications about security: in RedHat, non-contrib packages are 
checked by RedHat, for the rest, it is up to you. Since you cannot really work 
with just non-contrib packages, you easily install non-trusted binaries.

- all developers are registered and there is at least some attempts to try to 
be sure of their identity (I had to sent a scan of my passport, PGP-signed of 
course). The names are public <http://www.debian.org/devel/people>. You know 
who made your package.

- all packages are PGP-signed by a developer. (The public keys are... public.)

- all bugs are public <http://www.debian.org/Bugs>, meaning that a lazy 
maintainer cannot conceal a security problem in one of its packages.





-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org