On 2/10/2016 10:01 AM, Kurt Jaeger wrote: > Hi! > >> I'm racking my brains and I can't find a single rational reason why >> somebody would refuse the package (especially if building it on an Atom >> is the alternative). > > The famous paper from Ken Thompson: Reflections on trusting trust > > http://dl.acm.org/citation.cfm?doid=358198.358210 >
The source is publicly available on github. The only way that Thompson paper could apply is if a trojan is inserted at the FreeBSD package builder level. So I guess [A] could say FreeBSD package builder is compromised (intentionally by FreeBSD project or unknown to all due a hacker). And I guess that could be possible, but the counter is: If you cant' trust packages built by FreeBSD, how can you trust the FreeBSD base not to have a trojan? Which would mean that only the people that *also* build FreeBSD from source would have a leg to stand on. So I will concede that case: If you accept no binaries at all from FreeBSD and only build base and packages from source, then you have a point. But still the response, "Then don't complain" applies. It's a conscious decision and consequences of decisions must be accepted. Beside, this theoretical person will have a lot more issues that lil' ole Synth. It will be in the noise compared to Libreoffice, webkit (x5), kde, etc. John _______________________________________________ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
