Re: sysutils/ipfs-go downloads pre-built binaries while sources are available
On 03/12/18 14:06, Kurt Jaeger wrote: Yes, but the boundary can not be drawn at the 'source' border. My fear is that we do not really understand where the border lies. In general this is true. However, in case of Go or C++ the boundary is clear. -) Yuri ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: sysutils/ipfs-go downloads pre-built binaries while sources are available
Hi! > On 03/12/18 13:42, Adam Weinberger wrote: > > While source is preferred over binary, we don???t delete ports just > > because they have binary blobs. > Binary downloads have an entirely different trust model. You have to > trust the producer of the binary, vs. with source code it is much more > obvious what does it do. Even a modest amount of HTML mixed with JavaScript can be a deathtrap. So what is source code again ? > Neglect or misunderstanding of this difference > leads to rampant spread of malware on Windows and cell phones. Yes, but the boundary can not be drawn at the 'source' border. My fear is that we do not really understand where the border lies. -- p...@opsec.eu+49 171 3101372 2 years to go ! ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: sysutils/ipfs-go downloads pre-built binaries while sources are available
On 03/12/18 13:42, Adam Weinberger wrote: While source is preferred over binary, we don’t delete ports just because they have binary blobs. Binary downloads have an entirely different trust model. You have to trust the producer of the binary, vs. with source code it is much more obvious what does it do. Neglect or misunderstanding of this difference leads to rampant spread of malware on Windows and cell phones. Yuri ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: sysutils/ipfs-go downloads pre-built binaries while sources are available
On 12 Mar, 2018, at 11:30, Yuri wrote: There should be no reason to download prebuilt executables for open source software. Binaries present security risk. It violates chapter 5.4 of PHB which mentions that MASTER_SITES/DISTNAME refers to "source archive", and for sysutils/ipfs-go it isn't a source archive. This port should be either deleted or reworked. While source is preferred over binary, we don’t delete ports just because they have binary blobs. # Adam -- Adam Weinberger ad...@adamw.org http://www.adamw.org ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: sysutils/ipfs-go downloads pre-built binaries while sources are available
Also https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218179 On 18-03-12 10:30:53, Yuri Victorovich wrote: > There should be no reason to download prebuilt executables for open > source software. Binaries present security risk. > > It violates chapter 5.4 of PHB which mentions that MASTER_SITES/DISTNAME > refers to "source archive", and for sysutils/ipfs-go it isn't a source > archive. > > > This port should be either deleted or reworked. > > > Yuri > > ___ > freebsd-ports@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" -- Dmitri Goutnik d...@syrec.org | GPG: https://syrec.org/d...@syrec.org.asc ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"