Classification: UNCLASSIFIED I agree 100% with Jim Hyslop's POV.
> > There's also still the whole issue of trust. > How did I know you were going to bring that up? :=) Like ANYBODY who looks at the CVS code can trust it! So it's not as bad as qmail and other hideous projects out there but the code-base is anything but "reassuring". Hell, I broke the build on v1.11.11 just by not enabling the pserver capability - that self-same capability that everybody maintains is "dangerous". Not to mention it's a list mantra that CVS was never designed with security in mind. And you think it deserves to be trusted in any way shape or form? > project I use. In many cases, I don't even care about the > build step - all I > want is the final product. With a pre-built binary, I don't have to > second-guess myself. True enough. It's less about second-guessing on my part, I can't expect my customers/clients to go have to build their own version from source every single time. About all I can expect of them is to run 'rpm' or 'up2date'. They don't NEED to be C programmers or guru's. They just want to get their work done. > As you well know, trust is a very personal thing. You, for > example, appear > to trust no-one or nothing on the 'Net. I respect that view, > but it is not > the same as mine. While I believe some caution and skepticism > are healthy, I > can see the desire and need to have some reasonably trusted > sources for the > binaries. CVS is a gnat in the scheme of things. If pre-built binaries was such a problem why do zillions of *BSD, Linux, *nix, windoze users do nothing but install binaries (and MS doesn't even sign their stuff)? The opportunity to trojan Linux or OpenBSD is FAR more attractive than diddling with a source control system. > How many people who download the source tar files actually > verify the MD5 checksum? almost nobody. > Even if they verify the checksum, a hacker could > replace the tar > file and had modify the web page to show the MD5 checksum of > the hacked tarball. Or anyone running a mirror could likewise play games. _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
