Re: How secure is the openSUSE Build Service?

On Tuesday 06 November 2007 10:16:49 pm Thomas wrote:
> Am Mittwoch 07 November 2007 schrieb Eduardo Tongson:
> > Aniruddha was asking which is safer. There is a difference between 3rd
> > party repositories and official repositories. If you do not trust the
> > distribution's official repositories your alternative would be Linux
> > from Scratch and individually checking source tarballs.
>
> Which is - of course - very impracticable. :)
>
> I think it is *not* less secure. In the case of OSS it doesn't matter
> anymore. When you trust several thousands developers around the globe,
> hundreds of CVS, SVN, rsync, FTP, HTTP servers used for development and
> dozens of distribution then *one* additional layer in the distribution
> process doesn't really matter.
>
> It is a matter of trust and not a matter of security.

A matter of trust, not security?!?

That's the most bizarre thing I've heard this week, and it's been a very 
strange week. Security is fundamentally about trust, from the very basis of 
how we even attempt to build secure systems--cryptographic primitives such as 
hash functions.

Go back to fundamentals. What's the purpose of a password? To enable *trust* 
that Alice really is Alice.