I would like to respond to a post by Chris Wadge about the security of his Hiawatha Debian packages.
In his post he said he has received several questions about the security of the Hiawatha Debian packages he has made available. Although he thinks those are valid questions, I think they are a bit weird. Questions like 'Are your packages secure?' are pointless, because would you ever expect to get 'no' for an answer?
Let me first explain a bit more about security and trust. Security begins where trust ends. I trust my wife, I trust my family, I trust my friends. Of course, my wife has a key to our home, but without any doubt I would give the key to our home to any family member or a friend if it was needed in any situation. There is no need for me to take any security measures. Trust is needed to make life easier. Of course, I don't give the key to our home to a complete stranger, because I can't trust them. That's where security starts.
If you think about this a bit more, you might wonder why I don't give all my friends a key to my home. I trust them, right? Yes, I do trust them completely, but I don't trust Murphy and his law, I don't trust 'bad luck' and I don't trust pickpockets. There is no need for them to permanently have a key to my home, so there is only risks and no benefit from that. So, again, security takes over.
Trust is mainly based on experience, your own experience or experience by other people you already trust. I trust my friends, because in the past they've shown me to be trustworthy. People who have once abused that trust are no longer my friends. I trust my friends' judgement, so there is also some form of trust towards the friends of my friends. For some things I trust them, like lending them a movie. For other things, like giving a key to my home, I don't.
Back to Chris Wadge's Debian Packages. There are two options:
The case where you find a security issue in his package, which is related to his packaging, will be clear to everybody. But what if you don't? It will require a lot of time and knowledge to completely proof that his packaging is done securely. Unless you are willing to do this for every package he releases, you will come to a point where you decide to trust him or not.
With all this in mind, I hope you understand that it's a bit weird to ask Chris Wadge about the security of his packages. I'm not going to tell whether you can trust Chris Wadge or not. That's for you to decide. All I can say is that every time we 'spoke' via e-mail, he has proven to me that he very well knows what he's talking about when it comes to IT (security) and he has always shown a very professional attitude. The rest is up to you.