Aigars Mahinovs <aigar...@gmail.com> writes: > Do you actually check that the contents of the source *package* (after all > operations done by dpkg-source and possibly other tools) actually match > what you were looking at before in your source work tree folder?
Until this thread, the idea that doing so might be prudent had not even occured to me TBH. Now that it has, it also occurs to me that if I actually were subject to an attack that was attempting to sneak something in at this point, my system might well have been tampered with to render it unable to detect the change (by replacing diff with a version blind to the changes etc.) Cheers, Phil. -- Philip Hands -- https://hands.com/~phil
signature.asc
Description: PGP signature
