Guido Berhoerster wrote: > * Shawn Walker <[EMAIL PROTECTED]> [2008-11-13 17:23]: >> John Sonnenschein wrote: >> > I'd just like to throw my thoughts in to the ring for this, but the >> genunix page lists "Binary only packages allowed" as a goal.. >> > >> > That is, in my opinion, a /TERRIBLE/ idea, and likely to get people >> in more trouble and reflect worse on (open)solaris than just simply not >> having the packages at all. Any sort of poor software, either through >> malice (trojans) or incompetence (running being heavily dependent on the >> builder's specific system setup) can be sneaked in with absolutely no >> oversight. >> >> That's assuming that the packages don't: >> >> 1) receive any vetting at all > > So how does the reviewer make sure (with reasonable effort) that > the submitter has not injected malicious code in the binary package > he submitted? > >> 2) that all contributed packages will have source code legally available > > That would probably be the majority of all cases as the number of > redistributable binary software for OpenSolaris is rather small > compared to the huge number of FOSS which could be ported. > Besides, closed source packages need not be excluded if packages > are built with standardized recipes on os.o. pkgbuild recipes can > handle them. However I _can choose_ not to install them.
By building, are you saying compiling or assembling? There's a large difference. >> Source code != trust; look at the fairly recent debian incident with one > > That's a null argument, I could argue that this was found because > of the source code and build recipe was open and available. ...yes, but it took over two years to find it. Proving that you cannot use source code availability as proof of trustworthiness. > Generalizing an incident like this is absurd. No more asburd than asserting that source code availability ensures trust. >> of their encryption related packages. Just because you automate a build >> does not make the software trustworthy. > > No, but it eleminates one source of risk, that is the submitter. > I still have to trust the author and the distributor (the > OpenSolaris project). And if it is OSS the risk of malicious code > in the is lower as there is a bigger chance of people discovering > it, furthermore I have at least the theoretical possibility to > audit the source myself if I want to. No, it reduces one source of risk, it does not eliminate. -- Shawn Walker _______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
