It's perfectly normal for Debian packages to be maintained by other people that ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

ptx on Nov 14, 2018 | parent | context | favorite | on: Private by Design: How We Built Firefox Sync

It's perfectly normal for Debian packages to be maintained by other people that the original developers of that piece of software, isn't it? Debian has more than 60000 packages but doesn't have 60000 package maintainers – the roles are quite separate.

For example, Linus Torvalds doesn't maintain the Debian kernel packages. If whoever does were to put malicious code in the kernel packages, that would be very bad, just as if Heimdall were compromised, which is why Debian has a relatively small set of trusted package maintainers and doesn't let just anyone put code in the official distribution.

Benjamin_Dobell on Nov 14, 2018 [–]

> Debian has a relatively small set of trusted package maintainers and doesn't let just anyone put code in the official distribution

There are presently 2619 official Debian maintainer GPG keys[1].

Considering the scope, that's not ridiculous, but I wouldn't call it small.

[1] http://ftp.debian.org/debian/pool/main/d/debian-keyring/

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact