On 18-Nov-08, at 2:03 PM, Shawn Walker wrote: > John Sonnenschein wrote: >> On 18-Nov-08, at 1:40 PM, Shawn Walker wrote: >>> John Sonnenschein wrote: >>>> On 18-Nov-08, at 1:37 PM, Jim Walker wrote: >>>>> John Sonnenschein wrote: >>>>>> It's one thing if someone makes a mistake and accidentally >>>>>> breaks things, >>>>>> even security things, it's another thing if we institutionalize >>>>>> and automate >>>>>> the ability to upload malware. Even debian/unstable hasn't >>>>>> done that. Do we >>>>>> /really/ want to be the first to have viruses in our blessed >>>>>> repos? >>>>> We can update the language relative to source code, but it's a >>>>> big jump to >>>>> imply we are opening the doors to malware. >>>>> >>>>> All the packages going into /contrib and /pending go through >>>>> review by >>>>> the community, which on it's own, provides a big filter. >>>> My point is essentially that unless the source code is built by >>>> a controlled system there's no way to verify that it is what the >>>> source code pointer says it is, so it ought to be treated as an >>>> exception to the rule, which means that someone trusted ought to >>>> be the submitter (or trusted by proxy) and the default shouldn't >>>> be to accept the package. If there's a good reason to have a >>>> pure binary, there's a reason and it can be accepted assuming >>>> the trust is there. >>>> Malware is perhaps an extreme example but as I see /pending now >>>> there's not a whole lot preventing it other than someone vetting >>>> that the package through some minimal amount of testing does >>>> what it claims to do at this moment. If it's malware there's no >>>> real way to detect that even post-mortem. >>> >>> The reality is, even with source code, or automatically building >>> something, there's no practical way to guarantee that a program is >>> not malicious (unintentionally or not). >>> >>> Specifically, I sincerely doubt that every single contributed >>> package is going to have every single line of source code checked >>> to verify that something malicious wasn't introduced. >>> >>> I agree that it can reduce the risk, but it does not eliminate it. >> Even if it doesn't eliminate it it serves as a big disincentive to >> do anything by virtue that it's not easily hidden, it's the same >> reason supermarkets put up cameras to prevent shoplifting, in >> reality it does very little but it leaves evidence behind which in >> and of itself stops some people. > > I just wanted to point out that I think this particular point of > contention isn't important. > > I thought all of this was already covered by votes needed to approve > something and the condition of supplying the source code. >
I thought so too, but then I checked the updated link about the pending repo and it looked like the opposite of everything we agreed on the other day > I would rather assume most contributors are not malicious > (unintentionally or otherwise) and deal with it that way then treat > everyone with distrust. Trust is earned. A healthy amount of distrust is fine IMO. I also lock my door when I leave the house, even though I mostly trust everyone in my apartment building. -JohnS _______________________________________________ indiana-discuss mailing list indiana-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/indiana-discuss