subject:"sysutils\/ipfs\-go downloads pre\-built binaries while sources are available"

Re: sysutils/ipfs-go downloads pre-built binaries while sources are available

2018-03-12 Thread Yuri


On 03/12/18 14:06, Kurt Jaeger wrote:

Yes, but the boundary can not be drawn at the 'source' border.
My fear is that we do not really understand where the border lies.



In general this is true. However, in case of Go or C++ the boundary is 
clear. -)



Yuri

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: sysutils/ipfs-go downloads pre-built binaries while sources are available

2018-03-12 Thread Kurt Jaeger

Hi!

> On 03/12/18 13:42, Adam Weinberger wrote:
> > While source is preferred over binary, we don???t delete ports just 
> > because they have binary blobs. 

> Binary downloads have an entirely different trust model. You have to 
> trust the producer of the binary, vs. with source code it is much more 
> obvious what does it do.

Even a modest amount of HTML mixed with JavaScript can be a deathtrap.

So what is source code again ?

> Neglect or misunderstanding of this difference 
> leads to rampant spread of malware on Windows and cell phones.

Yes, but the boundary can not be drawn at the 'source' border.
My fear is that we do not really understand where the border lies.

-- 
p...@opsec.eu+49 171 3101372 2 years to go !
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: sysutils/ipfs-go downloads pre-built binaries while sources are available

2018-03-12 Thread Yuri


On 03/12/18 13:42, Adam Weinberger wrote:
While source is preferred over binary, we don’t delete ports just 
because they have binary blobs. 



Binary downloads have an entirely different trust model. You have to 
trust the producer of the binary, vs. with source code it is much more 
obvious what does it do. Neglect or misunderstanding of this difference 
leads to rampant spread of malware on Windows and cell phones.



Yuri


___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: sysutils/ipfs-go downloads pre-built binaries while sources are available

2018-03-12 Thread Adam Weinberger


On 12 Mar, 2018, at 11:30, Yuri  wrote:

There should be no reason to download prebuilt executables for open  
source software. Binaries present security risk.


It violates chapter 5.4 of PHB which mentions that MASTER_SITES/DISTNAME  
refers to "source archive", and for sysutils/ipfs-go it isn't a source  
archive.



This port should be either deleted or reworked.


While source is preferred over binary, we don’t delete ports just because  
they have binary blobs.


# Adam


--
Adam Weinberger
ad...@adamw.org
http://www.adamw.org

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: sysutils/ipfs-go downloads pre-built binaries while sources are available

2018-03-12 Thread Dmitri Goutnik

Also https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218179

On 18-03-12 10:30:53, Yuri Victorovich wrote:
> There should be no reason to download prebuilt executables for open 
> source software. Binaries present security risk.
> 
> It violates chapter 5.4 of PHB which mentions that MASTER_SITES/DISTNAME 
> refers to "source archive", and for sysutils/ipfs-go it isn't a source 
> archive.
> 
> 
> This port should be either deleted or reworked.
> 
> 
> Yuri
> 
> ___
> freebsd-ports@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

-- 
Dmitri Goutnik
d...@syrec.org | GPG: https://syrec.org/d...@syrec.org.asc
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

sysutils/ipfs-go downloads pre-built binaries while sources are available

2018-03-12 Thread Yuri

There should be no reason to download prebuilt executables for open 
source software. Binaries present security risk.


It violates chapter 5.4 of PHB which mentions that MASTER_SITES/DISTNAME 
refers to "source archive", and for sysutils/ipfs-go it isn't a source 
archive.



This port should be either deleted or reworked.


Yuri

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: sysutils/ipfs-go downloads pre-built binaries while sources are available

Re: sysutils/ipfs-go downloads pre-built binaries while sources are available

Re: sysutils/ipfs-go downloads pre-built binaries while sources are available

Re: sysutils/ipfs-go downloads pre-built binaries while sources are available

Re: sysutils/ipfs-go downloads pre-built binaries while sources are available

sysutils/ipfs-go downloads pre-built binaries while sources are available

6 matches

Site Navigation

Mail list logo

Footer information