Downloaded .deb safe?

[Stanislas Breton]

Michael Leone wrote:
> Stanislas Breton wrote:
>
>   
>> If security's a paramount concern, follow long-standing Unix security
>> practice and inspect the source code. If you're unable to inspect the
>> source code, or don't consider yourself technically competent to inspect
>> the source code for possible malware content, then don't install it.
>>     
>
> If he didn't feel competent to examine the source code, he'd never run 
> *ANY* OS. This includes Linux. Even if the source code is available (and 
> it i), I'm certainly not a competent programmer to examine everything 
> from the kernel on upwards,to things like Fireforx and OpenOffice. Since 
> I'm not technically competent to inspect the source code for possible 
> malware, then I wouldn't run Linux.
>
> By the practices you advocate above, I take it then that you've examined 
> all the source code of every application that you have installed? :-)
>
> (I'm only teasing, but doing so to point out that the above is probably 
> not a practical answer ...)

But if you elect to adopt Linux, you also adopt its security culture, an
important element of which is that responsibility for security always
ultimately lies with the end user.

If to that end it proves necessary to defer judgment on technical
matters, then it should at least be to someone who either possesses the
specialized skills involved in security auditing, or to a downstream
developer who unfailingly defers to someone who does.

Of course, it follows from this that you should never trust distros that
countenance the inclusion of applications/kernel modules for which the
source code isn't open to general inspection...