Well, the security argument depends more on "you *could*" than on "you *do*". Somewhere out there is someone crazy enough to comb through any given source kit looking for evil. Would any counterfeiter have the guts to set up his print shop on the sidewalk outside a police station? Much of security boils down to convincing the bad guys that they *could* be caught.
The efficiency argument (you can tune it to your specific setup) doesn't really apply to Java programs (like Tomcat) because the (virtual) "hardware" is the same everywhere. If the build process isn't configurable, I wouldn't give this one any weight for Java app.s. There's the self-maintenance argument: if you see anomalous behavior, or want to make modifications, or just want to better understand what's going on, you can read or modify the source. If you're not at least part programmer, though, you probably won't do that. The other argument is that you know what goes into your system. For example, I know that Gnome is a big fat pig because I have one Slackware system where I've had to spend hours pulling down library after library after huge library just to get one or two tiny app.s to compile. :-) Again, this has little application to Java app.s because their packaging teams always throw in whatever pile of .jar files is needed to make them work, no matter how many copies of any library you may have already. So, if you're not going to inspect the code yourself, it makes little difference whether you build Tomcat yourself or let someone else do it for you. The one weak argument against is that popularity of source packages tends to make the risk of corrupting them seem larger, so you could lie to the bad guys by fetching a source kit that you intend to blindly install. I doubt this would sway many sysadmin.s. As another Gentoo fan, I'd certainly get source and tweak the living daylights out of the build configuration and compiler switches of any non-Java app. I wanted. But I probably wouldn't do the same for a Java app. unless I had some reason to dig into the source myself. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite.
pgpbsOETUsCLz.pgp
Description: PGP signature