undefined | Better HN

0 pointsm4rtink2y ago0 comments

Not to mention it introduces a single point of failure, that once compromised can start pushing malware directly to user.

With maintainers in the loop, there is at least one more person that can notice something is fishy. Not to mention there is usually so time before packages are updated, so there is more time to notice an attack.

0 comments

AnIdiotOnTheNet2y ago

> With maintainers in the loop, there is at least one more person that can notice something is fishy

Also one more person who can inject malware or break something. How did that Debian keygen issue happen again? Oh right.

bombolo2y ago

> How did that Debian keygen issue happen again?

The people on the openssl mailing list said it was fine. That's how it happened.

AnIdiotOnTheNet2y ago

And yet the upstream developers themselves never incorporated the change, it was entirely because an unnecessary third party middle man made unnecessary changes.

j / k navigate · click thread line to collapse

0 pointsm4rtink2y ago0 comments

Not to mention it introduces a single point of failure, that once compromised can start pushing malware directly to user.

0 comments

AnIdiotOnTheNet2y ago

> With maintainers in the loop, there is at least one more person that can notice something is fishy

Also one more person who can inject malware or break something. How did that Debian keygen issue happen again? Oh right.

bombolo2y ago

> How did that Debian keygen issue happen again?

The people on the openssl mailing list said it was fine. That's how it happened.

AnIdiotOnTheNet2y ago

And yet the upstream developers themselves never incorporated the change, it was entirely because an unnecessary third party middle man made unnecessary changes.

j / k navigate · click thread line to collapse