| "A packager downloads a random tarball off the internet, often over HTTP and/or unsigned and unverified." Unless the packager is on the mailing list for the project, which many are as it helps them keep up to date on changes. "The packager uploads the same tarball to the distro build system (you trust them, right?)" Now the package is in one place, so when you say, "SSH on Fedora seems to open a connection to this random server in Ft. Meade!!!" everyone else can check and see if that is what is happening. Now you have thousands of people investigating the bug -- not so bad. Compare this to, "I downloaded something that is supposed to be PuTTY, which I found via a Google search, and it is acting funny!" The fact that everyone who uses Fedora or Ubuntu is running the same code is pretty helpful. It is not much, but it does help. "The packager's script for building the program or library is executed by the build server" In a chroot jail, or an SELinux sandbox, or a VM, or any number of other environments that help to isolate the build process from the rest of the system. In theory, the build server has quite a bit of protection from malicious packagers. Also worth noting is that packagers' actions are logged and would probably be audited if a user sounded the alarm and nobody could figure out what was happening. It would take a lot to pwn the users of a distro in any meaningful way, because keeping it secret is hard -- your victory would be short-lived. |