On 10/31/16 6:18 AM, John Hawkinson wrote: > I think we should not lose sight of the fact that mosh is > security-sensitive software in a category unlike many other > software packages, and thus it is worth some inconvenience to > the maintainers that you might not accept in a less sensitive > tool. > > Another question: would we rather we be compromised at the same time > when Github or Travis is compromised, or would we rather be > compromised independently at a different time? Feel free to substitute > "if" for "when" if it makes you feel better.
A question in reply: would we be likelier to *discover* that compromise on a personal, daily-driver OS X install, or on a cloud service provider with wide visibility (and exposure)? I'm dubious of my ability to discover a compromise on my personal machines, and I'd of course like to keep them personal. :) Again, the idea of, say, a project-owned build VM comes up. Apple's OS X licensing would seem to restrict this to an Apple developer and an OS X host, though, which makes this more difficult. regards, --jh _______________________________________________ mosh-devel mailing list mosh-devel@mit.edu http://mailman.mit.edu/mailman/listinfo/mosh-devel
