On the topic of security, would you like to find out one day that you have several SUID binaries on your system that you did not know about? I recently searched for them and found that fink had installed one from KDE as well as others. It is not mentioned ANYWHERE in the .info file or in any documentation from fink. I think that it should be policy to have a note in the description that mentions any SUID binaries.
JP
On Dec 13, 2003, at 4:58 AM, Darian Lanx wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160
John Davidorff Pell wrote:
Which is a huge problem to begin with, how about we fix that?!First of all, I have to concur with all the "PROBLEMS" mentioned by Max. There is no single reason why we would _want_ to use a public compile farm. As the one person who watches over our public image I would be the first to scream "Murder" and I would do anything to keep this from happening. The chance that we end up in a situation where a compromised distribution is sent out to thousands of users is simply too big. Fink is no longer your everyday, small open source project. Even though we might not match up with Apache, KDE, GNOME and the like we are still a big player on our own turf.
The problem is not, in my humble opnion, that we would nto find enough supporters to roll our own compile farm, the issues is, as stated before, that we simply lack the infrastructure within fink yet, to automate the process completely.
I am working very hard on a system that involves GnuPG to ensure, that we can trust what is put into Fink, but since this is a rather complex issue, it also takes time.
For me it is not only about technical probabilities, it is also about avoiding a public desaster where Fink ends up running bad press. That is the last thing we need or want.
- -d
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/2wzvPMoaMn4kKR4RAz6mAJ9H8zor5k4VRmKmUjbaLicdPyMULQCdH5EJ FmMO1qpEXE9rs4owfAaTKoc= =X8Kc -----END PGP SIGNATURE-----
--
"... was it a dream where you see yourself standing in sort-of Sun-God robes, on a pyramid, with a thousand naked women screaming and throwing little pickles at you? ... Why am I the only one who has that dream?"
smime.p7s
Description: S/MIME cryptographic signature
