Security Concern - Open Source Binaries

Daniel Kahn Gillmor dkg at
Tue Jun 9 21:23:42 CEST 2009

On 06/07/2009 06:33 PM, simplejack wrote:
> Is sourceforge (or any of the other repositories for open source software)
> actually doing a compile and compare of uploaded source code to ensure that
> uploaded binaries are legitimate?
> I know, I know: I'm lazy. Why should the processing burden be centralized
> vs. distributed, but having a central body actually signing off on the
> legitimacy of the files they are sending would go a long way to reassuring
> it's users.

I don't believe that sourceforge (or any other major free software
service provider) does this.

however, most gnu/linux distributions do.  If you want a centralized
software aggregator who cryptographically signs off on packages at their
own distribution step, you should install debian or ubuntu (i know they
do this, through secure apt) or fedora or gentoo (i'm pretty sure they
do).  I can't speak for other distros.

The usual caveats apply, of course: trusting the distro is often the
same as trusting the weakest link in the chain -- the most sloppy
developer with commit privileges to the distro, or the most sloppy
upstream developer, or the least-secured machinery in the chain between
you and the original developer who wrote the code.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090609/505dca4f/attachment.pgp>

More information about the Gnupg-users mailing list