On Fri, Jan 14, 2005 at 05:52:09PM -0600, Igor Izyumin wrote: > Karel Kulhavy wrote: > > >binary package is a security hole. Someone can put a malicious code > >into the binary and noone will notice. > > > > > Unless you read every line of source code in a package every time you > download it, the same applies. Actually, running the binary is a little
It suffices when it is subject to a public scrutiny. When you put a malicious code in, someone notices. When you put malicious code into binary package noone notices (unless the code starts to do something actually). > less risky. You generally don't run the program as root, but if you > compile from source you have to do 'make install' as root. Those > install scripts can do just about anything to a system. But they are subject to public scrutiny. > > >Malicious code in a source code is obvious. > > > > > Really? I guarantee you that any programmer worth his salary could hide > a backdoor in some source code that would be very difficult to find. > > >Binary packages run slower because are not optimized for the particular > >processor. I have notices about 2 times speedup between compiled GCC > >and binary GCC. I don't want to buy 3.6GHz system. I'll stick with > >my 1.8GHz one. > > > > > The difference is not perceptible, except in multimedia-intensive The difference is perceptible clearly in GCC. GCC is not a multimedia-intensive application. > applications. I am willing to bet that the reason your compiled GCC is > faster is simply because it's a different version. This is another thing that the software in distribution tends to be horribly obsolete. Often there are various news about security vulnerabilities in the press and when I examine my version I discover I already have installed the fixed one despite the fact I installed my program long ago. > > >Tried various distros, it was always disaster. > > > > > I never had any major problems with my distro (Mandrake). Of course, > the best way to muck up any Linux installation is by carelessly > installing different libraries, as you seem to be fond of doing. If you > stick to distribution-provided core packages, you will be fine. gEDA and PCB is not a core package, so I am not going to be fine. Cl<
