On Thu, 2005-07-28 at 16:25 -0400, Tony Nelson wrote: > At 6:26 PM +0300 7/28/05, Dotan Cohen wrote: > >...Tell me, how carefully watched are the people who maintain > >packages in, say, extras? Can these repros really be trusted in that > >sense? I guess that I am, in a way, letting the maintainers of the > >repros add anything that they like to my system- I don't have the > >knowledge to go over every last package, and as a home user, I do not > >plan on aquiring that knowledge. > > Put another way, are there any known cases where a packager for a major > distro or repo has acted with malicious intent? (I'm also curious about > this.) Not that I know of, but I do recall issues with the ftp servers for major bits of software being compromised and the source code being tampered with there. That's why it's a good idea always to check GPG signatures when provided for tarballs you may download. Paul. -- Paul Howarth <paul@xxxxxxxxxxxx>
