On Wed, 9 Oct 2002, Ben Hines wrote: > Indeed. However we don't really have the resources to make sure every > package has no backdoors, obviously. "what if", Bill? Well, theres > nothing we can do about that is there. Do you want software or not? > Fink already is very careful about unstable/stable trees, etc. > Verifying every tarball for no backdoors is a task greater than porting > the software to Mac OS X.
Certainly. And if the software itself has backdoors there's little we can do to protect against it as part of fink. But the trojan in sendmail and OpenSSH was in the build process - not the software itself. I think that was why this thread started, questioning building software as root, and whether it was safe (and the original poster was suggesting that it was not). I don't know enough about the internals of fink to know whether it could drop root during the build process, and I certainly don't know if there will be any more trojans of this sort. Nor will I stop building packages with fink just because of this risk. . . Bill. (and I don't know enough about GPG to suggest how to implement an automatic signing process either :( ) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Fink-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-users
