On Wednesday, 11 September 2013 at 20:16:52 UTC, H. S. Teoh wrote:
On Wed, Sep 11, 2013 at 10:07:02PM +0200, Jacob Carlborg wrote:
On 2013-09-11 17:09, Dicebot wrote:
>Those should be provided as sources and built by dub too.
>Distributing binary packages requires both package signing and
>reasonable web of trust - something that is not easy to "just
>implement" from scratch. Otherwise any single malicious
>package may
>ruin reputation of the whole system.
The same can be said of malicious source code. Just because it
wasn't
precompiled for you doesn't mean you're going to read through
every line
to ensure there are no malicious bits before compiling and
using it.
Using the package at all -- regardless of whether it's source
or binary
-- implies a certain level of trust already.
Source packages are never trusted by default. It is your (and
community) responsibility to verify the source if it is
important. Or just ignore the possible consequences if it is not
worth it. Contrary to this, binary package does not leave any
verification options and in absence of any package signing /
trust network one has no other choice but to always consider
those harmful.
It is subtle but important difference. As far as I am aware, all
major Linux distributions have rather complex infrastructure that
assures basic package safety. It is imperfect, of course, but any
custom system will be far far away even from that.
