On April 21, 2004 02:45 am, Aaron J. Seigo wrote: <SNIP> > > many projects do provide GPG signed packages, however. take a look at the > KDE ftp repository, as just one example. saying that because some other > project is similarly broken makes it all OK is not exactly logical. we hold > others (e.g. Microsoft) to a higher standard than this, don't we?
Yes, most definately, as we should. However its a two-sided coin, because while it negates a reason you should use Gentoo, the fact that no one else has solved it negates the arguement against. Its exciting to know they're working on it. > > moreover, 3rd party software you download and install is a VERY different > proposition than the kernel, compiler, etc... that you install as part of > your OS. what most galling is that this is not difficult to do, and that > this provides a level security that can not be achieved elsewise. it's > already bitten Gentoo once, so it isn't theoretical. and if they weren't > fixing it, it would bite them again. > This is definately a concern. Although I did download my kernel sources myself and compiled them manually [which is the reccomended method BTW]. > honestly, i understand how and why you love Gentoo. i've had some good > experiences with it myself and i work with a guy who is a Gentoo fa. but > sluffing aside problems like this, especially ones as severe as this, is > not great practice IMHO. > Which is why they're not being ignored. Gentoo is a baby distro still but given a little time I think most of these issues will be addressed. > not only should we desire and demand better and safer technologies for > ourselves but if we make excuses for our own sloppiness, that opens the way > for those who would disparage Free Software a to have a veritable field day > with us. > > > Plus MDK10 still won't make my sound work out of the box, so I end > > up kernel-compiling anyways. > > which you can do using their GPG signed sources. or the official GPG kernel > sources, for that matter. ;-) > Which as I said I used w/gentoo. :) > > Then theres the issue of binary-bloat, > > 1500 drivers on my machine that I don't need. Blah. > > which is orthogonal to the issue of safety and security. =) > But still in the scope of my commentary. Besides, a kernel with every module compiled has a higer chance of having an exploitable piece of code which could potentially be loaded. Unlikely, but plausible. Again I say blah. :-D I definately understand your concern, esp. in a corporate environment where your job may be at risk. Lets hope for the greater good they fix this stuff before something bad happens again. <SNIP> - Nick W ([EMAIL PROTECTED]) Registered Linux User #324288 (http://counter.li.org) MSN Messenger: [EMAIL PROTECTED] Yahoo: foolish_gambit ICQ: 303276221 _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
