At 17:21 Uhr -0800 05.04.2002, Ben Hines wrote: >At 7:11 PM +0100 4/5/02, Finlay Dobbie wrote: >> >>For those of you who missed fully reading and comprehending Max's >>message, building the binary distribution on the OS X Compiler Farm >>is too much of a security risk, which is why I made my suggestion. > > >Yep. I reread the message and noticed that, after. (i was let astray >by his comment that he had built fink stuff on the servers) > >Anyway, the idea that we shouldn't use the compile farm machines due >to the fact that they could be compromised is IMO silly... But, >whatever... :)
I don't think it's that silly. Think about it. There has been at least one security hole in OS X (in NetInfo) in the past that could only be exploited by local users to gain root. On my box, that's only me, so almost no risk. On SF's compile farm, over 300,000 individuals have access. Would you bet on the fact that there is no other similiar hole left? A classical way to get trojans spread: take over a compile farm secretly. Replace the compiler with your own, which compiles in a trojan in every executable. You may thingk this is silly, but exactly this has happend in the past! I don't say it's likely, but then several thousands of people are relaying on us and use Fink, and also our bindist. I wouldn't want to risk this, esp. considering the bunch of law suites that'd be files against *me* and not against you, if something like this ever happend. Max -- ----------------------------------------------- Max Horn Software Developer email: <mailto:[EMAIL PROTECTED]> phone: (+49) 6151-494890 _______________________________________________ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel
