John Sonnenschein wrote: > > On 18-Nov-08, at 1:40 PM, Shawn Walker wrote: > >> John Sonnenschein wrote: >>> On 18-Nov-08, at 1:37 PM, Jim Walker wrote: >>>> John Sonnenschein wrote: >>>>> It's one thing if someone makes a mistake and accidentally breaks >>>>> things, >>>>> even security things, it's another thing if we institutionalize >>>>> and automate >>>>> the ability to upload malware. Even debian/unstable hasn't done >>>>> that. Do we >>>>> /really/ want to be the first to have viruses in our blessed repos? >>>> We can update the language relative to source code, but it's a big >>>> jump to >>>> imply we are opening the doors to malware. >>>> >>>> All the packages going into /contrib and /pending go through review by >>>> the community, which on it's own, provides a big filter. >>> My point is essentially that unless the source code is built by a >>> controlled system there's no way to verify that it is what the >>> source code pointer says it is, so it ought to be treated as an >>> exception to the rule, which means that someone trusted ought to be >>> the submitter (or trusted by proxy) and the default shouldn't be to >>> accept the package. If there's a good reason to have a pure binary, >>> there's a reason and it can be accepted assuming the trust is there. >>> Malware is perhaps an extreme example but as I see /pending now >>> there's not a whole lot preventing it other than someone vetting >>> that the package through some minimal amount of testing does what it >>> claims to do at this moment. If it's malware there's no real way to >>> detect that even post-mortem. >> >> The reality is, even with source code, or automatically building >> something, there's no practical way to guarantee that a program is not >> malicious (unintentionally or not). >> >> Specifically, I sincerely doubt that every single contributed package >> is going to have every single line of source code checked to verify >> that something malicious wasn't introduced. >> >> I agree that it can reduce the risk, but it does not eliminate it. > > Even if it doesn't eliminate it it serves as a big disincentive to do > anything by virtue that it's not easily hidden, it's the same reason > supermarkets put up cameras to prevent shoplifting, in reality it does > very little but it leaves evidence behind which in and of itself stops > some people.
I just wanted to point out that I think this particular point of contention isn't important. I thought all of this was already covered by votes needed to approve something and the condition of supplying the source code. Remember that this is a manual process right now until we have better tools in place (such as pkgfactory, etc.) to automatically manage and rebuild some of the contributions made. If you insist on rebuilding the binaries packaged by a community member, instead of allowing them to do that, you're doing two things: * You are insinuating a level of distrust in the contributor. * You are duplicating effort that was already expended. Now if the contributed item can be placed into or be part of some automated system, then the above doesn't really matter. However, until there can be an automated process, it's silly to do otherwise in my view. Again, there are numerous rules and mechanisms in place to deal with offenders. I would rather assume most contributors are not malicious (unintentionally or otherwise) and deal with it that way then treat everyone with distrust. -- Shawn Walker _______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
