| sidi | Is there a document somewhere that describes the security checks done on packages in the Ubuntu repositories? And specifically, is there any difference in how main and community packages are checked/validated? | 12:25 |
|---|---|---|
| rbasak | sidi: try asking in #ubuntu-hardened. You may want to expand on what you mean by "security checks". | 12:31 |
| sidi | rbasak, thanks will ask there. | 12:37 |
| sidi | rbasak, i'm doing studies with Ubuntu users, part of which covers their perceptions of security and where they deem it safe to download software | 12:37 |
| sidi | i want to know if any forms of security check / process is in place to ensure that packages on main / universe are deemed secure and/or safe | 12:38 |
| sidi | whether testing, static analysis, dynamic analysis, refusing packages with known vulns, verifying the identity of developers and using third-party assessments to ensure that the developers' products are not malicious, etc. | 12:39 |
| persia | sidi: Be prepared for a lack of clear answers there: many of the packages in Ubuntu are derived unchanged (and unchecked) from Debian, many of which are code-identical to upstream. | 12:45 |
| * persia is not authoritative on security practices in Ubuntu | 12:45 | |
| sidi | persia, i sort of expect that, yes :-) | 13:09 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!