REPOs do serve a purpose.
Posted Jul 22, 2010 11:47 UTC (Thu) by alex
In reply to: A trojan in a Firefox security add-on
Parent article: A trojan in a Firefox security add-on
"through some over engineered, time wasting, bureaucratic software repository process with the assumption that that somehow magically means all that code is clean and friendly"
The Linux repo model isn't all that bad. There is an implied chain of trust from (hopefully) upstreams signed packages to distributions QA and their signing and provisions of sources related to the package your installing. You should be able to update your copy of Apache with reasonable confidence it's not got a backdoor in it, doubly so if your using an enterprise distro where your actually paying for support.
That's not to say the flaws you point out are don't apply if all the packager has done is downloaded a random cool looking tarball and just whacked a "configure/make/make install" into the package.
to post comments)