Greg A. Woods wrote: > [ On Tuesday, February 17, 2004 at 08:36:43 (+0000), Andy > Jones wrote: ] > > Subject: Re: Binary release announcements? > > > > For my own part, there are some programs I am comfortable compiling > > and some I most certainly am not. It so happens that CVS > falls in the > > former category (now), but I can certainly sympathise with > people who > > put it in the latter. > > I think you've got this all wrong. No, I don't think he does (more after the next section).
> People who don't want, or can't, compile their own programs should be > looking to their software integration "vendor" for such support. If > those people don't already have someone doing their software > integration > for them then it's long past time and they should think > seriously about > finding someone they can trust to help them out. > > There's also still the whole issue of trust. How did I know you were going to bring that up? :=) A perfect case in point is the recent thread about the Windows build being broken - again. I've been through this many times with various open source projects, and trying to get the software to build just is not worth the hassle involved if there's a pre-built binary available from a site I trust (there's that word again). Even when I can build from source, I always have a nagging doubt - what if I've missed some critical configuration option that hasn't been documented, or is documented in a very obscure place? I don't want to have to read through dozens of pages of documentation. I don't want to have to be intimately familiar with each and every build process for each open-source project I use. In many cases, I don't even care about the build step - all I want is the final product. With a pre-built binary, I don't have to second-guess myself. Again, you need to look at this from the point of view of the people *using* the software. You have to stop thinking like the hard-core UNIX programmer you are, and think like your users. > As I understand it the > folks producing the source release don't also produce all of the > binaries, and I'm not sure how much they trust those who do > produce the > binaries, nor if they've ever declared the level of their trust. As you well know, trust is a very personal thing. You, for example, appear to trust no-one or nothing on the 'Net. I respect that view, but it is not the same as mine. While I believe some caution and skepticism are healthy, I can see the desire and need to have some reasonably trusted sources for the binaries. I trust that the maintainers of the cvshome web site will not knowingly do anything malicious, and will act quickly to remove anything from the web site that they learn is malicious. If someone provides defective binaries (where "defective" could include bad builds, corrupted binaries, binaries based on unofficial sources [ranging from minor, innocuous changes to back doors], files infected with malware, etc.), I would presume the problems will become evident fairly quickly, and the person who provided the bad binaries would at the least be chastised, or even possibly be blacklisted from providing binaries to the cvshome web site. If or when anything like that happens, then I will have to re-evaluate my level of trust in the binaries available at cvshome. > At > least with the source you can read it and you can compare it with > previous versions that you've come to trust (especially in this case > where you can use the tool in question to do those comparisons). Sure, having the source code available is great - but how many of the people who use CVS have actually *looked* at that source code? Even those who build from source probably have not given the source code more than a cursory glance. How many people who download the source tar files actually verify the MD5 checksum? Even if they verify the checksum, a hacker could replace the tar file and had modify the web page to show the MD5 checksum of the hacked tarball. How many of people who build from source double-check that the source files are actually the same as the ones that were placed on the web site? How much trust do you put in the source code? Again, that's a personal decision. And then there's the question of competence. I know we're talking specifically about CVS here, which is not a hugely complex program, but your statements above are very general. There are certain programs I simply am not qualified to judge whether or not the source code is correct - GPG, for example. I have no choice but to trust that the source code is correct. There's no point in me even looking at the code. So, if I'm not even going to look at the code, why should I have to compile it from source if there's a pre-built binary available? -- Jim Hyslop Senior Software Designer Leitch Technology International Inc. (<http://www.leitch.com/>) Columnist, C/C++ Users Journal (<http://www.cuj.com/experts>) p.s. Greg, my apologies for not responding to your personal email. I'm not ignoring you. Really! _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
