On Tue, Nov 18, 2008 at 04:03:23PM -0600, Shawn Walker wrote: > John Sonnenschein wrote: > > On 18-Nov-08, at 1:40 PM, Shawn Walker wrote: > >> John Sonnenschein wrote: > >>> My point is essentially that unless the source code is built by a > >>> controlled system there's no way to verify that it is what the > >>> source code pointer says it is, so it ought to be treated as an > >>> [...] > >> > >> The reality is, even with source code, or automatically building > >> something, there's no practical way to guarantee that a program is not > >> malicious (unintentionally or not). > >> > >> [...] > > > > Even if it doesn't eliminate it it serves as a big disincentive to do > > anything by virtue that it's not easily hidden, it's the same reason > > supermarkets put up cameras to prevent shoplifting, in reality it does > > very little but it leaves evidence behind which in and of itself stops > > some people. > > I just wanted to point out that I think this particular point of > contention isn't important.
This discussion is a rathole. The source is not enough to prove that the thing isn't malware. Building from source isn't either when we're talking about ~100,000 pkgs. Light-weight review isn't either. Also, the pkgfactory project will be contributing pkgs that we build in an automated way from source, so John's issue will often be taken care of. Nico -- _______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
