> Well, honestly, while I was writing the first messages about packages, I did > not read yet: > http://wiki.freedos.org/wiki/index.php/Package > but I was more thinking about what I would expect, and I still believe there > is good stuff > in what I propose that is missing in most packaging solutions (for Linux or > others).
>> Probably the reason this hasn't gotten any discussion is that I don't >> see this as a "problem" that needs to be solved. > There is at least one problem, but indeed maybe few people care. I don't think your problem has a solution in DOS, because the DOS kernel/system has no trust build into it. besides there is no program to check a signature for validity, there is no RedHat/Debian/whatever certificate installed. you suggested PGP signatures, but PGP is not existing on DOS systems. Most likely because there is no default network connection, email client, or other network infrastructure. there is only one solution so far: trust that if you download stuff from https://www.freedos.org that it is doing what it claims to do. > The main problem with actual package systems, is I do not know if > the packager is redistributing the binaries as it > received it from the author, or does the packager have rebuild the binaries > from sources. > I believe I know that in Linux community, it is custom to have rebuild from > sources. yes. this is possible because *every* linux box has the same compiler installed. even then it is often fairly complicated to get fedora stuff to compile on debian; at least it used to be that way. > I am much less convinced it is also custom in the DOS community. definitively not. almost nobody has a compiler installed. > And if it was not practically possible to rebuild the binaries from > sources, I would really like to know! why? if it is so important for you just try to compile it. if it doesn't compile, don't use it. > I believe this is important, because it is relatively easy/useful > to add accompanying spyware to the generated compiled code. sure. but then only signed *binaries* would help. > because I don't want to > compile source code because it is hard to get all the dependencies, there are *no* dependencies in FreeDOS at all, with the possible exception of WATTCP. > and it take relatively long time to compile even when I have them. did you ever try to compile even a single program? compile times exceeding 10 seconds would be the absolute exception. > That's why I was trying to add an header, where the packager say if > it rebuild all binaries from sources, and sign this header. as said, signing is useless if you can't check the signature. > I don't fully trust the packager either, but if he sign the header, > if I found one package from him giving me binaries doing things not > in the source code, I can avoid other packages coming from him in the future. yep. see https://lwn.net/Articles/733431/ Tom _______________________________________________ Freedos-devel mailing list Freedos-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freedos-devel
