> I don't see a clear path to doing this the "right" way, where chaos is > prevented by something more substantial than a social convention. > > I have to admit that the social convention is working very well at the > moment, though. > > -- > Tim Freeman > [EMAIL PROTECTED]
At some point you have to "trust". Unless you're ready to read every line of code, every script, yourself every time you install anything, trust is explicit. I "trust" binary .deb's from the Debian archives and x.debian.org mirrors. I "trust" .deb's and .rpm's when I get them from sources pointed to by their creators. I really like PGP, GPG, MD5 and other signatures on/with binary packages, at least it gives me a clearer false sense of security. At a stretch, I'll even run a game demo or some such binary as myself which I pull down from somewhere that looks like fun. Yes, the social convention is working very well indeed. A single source build that many people use (ftp.debian.org, ftp.kde.org, etc) also means that if anyone finds a problem in it and does something about it, they do me good too by making the next apt-get upgrade more than just exercise for my modem. Reputation counts. I'm sure that if a maintainer was discovered to have uploaded code with such things in it, that maintainer would loose coolness points galore. Darn, second ramble in two days. Your pardon. Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
