From: Stephane Bortzmeyer <bortzmeyer@pasteur.fr> To: lwilson1@radium.ncsc.mil Subject: Re: Debian Security Issues Date: Mon, 01 Feb 1999 14:40:27 +0100 On Saturday 30 January 1999, at 23 h 31, the keyboard of Larry Wilson <lwilson1@radium.ncsc.mil> wrote: > The professor asked me to find out : > "What is distinctive about Debian Linux development that affects > its assurance? " As a recent Debian developer (Sep. 1998), let me give my opinion: What is distinct with Debian is that: - there is no separation between "contrib" and not-contrib (like RedHat, but also *BSD, does). All packages have the same standards of quality, as described in the Debian policy <http://www.debian.org/doc/debian-policy/>. This has some implications about security: in RedHat, non-contrib packages are checked by RedHat, for the rest, it is up to you. Since you cannot really work with just non-contrib packages, you easily install non-trusted binaries. - all developers are registered and there is at least some attempts to try to be sure of their identity (I had to sent a scan of my passport, PGP-signed of course). The names are public <http://www.debian.org/devel/people>. You know who made your package. - all packages are PGP-signed by a developer. (The public keys are... public.) - all bugs are public <http://www.debian.org/Bugs>, meaning that a lazy maintainer cannot conceal a security problem in one of its packages. -- To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org