Myra Nelson wrote:
There is one last problem with trust that no one can cure. You either
trust
the devs or you don't. This is illustrated by a classic quote from Ken
Thompson
"The moral is obvious. You can't trust code that you did not totally create
yourself. (Especially code from companies th
On Tue, Mar 16, 2010 at 19:06, Linas wrote:
> I had already this email draft in my head, but Ananda 'Arch Linux security
> is still poor' thread, on which the point was also brought up, moved me to
> really write it.
>
> First off, there's an implicit level of trust on the package software, no
> m
Am 17.03.2010 01:06, schrieb Linas:
> There are several ways to close the gap:
> *Always download the package list from ftp.archlinux.org
> It's the easier solution, but it only protects against the mirror
> operator. Moreover, it increases load on that server and makes it a
> single point of failu
On 17/03/10 10:06, Linas wrote:
Do you think this is a good idea? Which solution do you prefer?
And most important, what would be needed to reach there?
There has been discussions on the pacman-dev mailing list and is even
partial implementation for package signing available. You should
rese
On Tue, Mar 16, 2010 at 20:06, Linas wrote:
> I had already this email draft in my head, but Ananda 'Arch Linux security
> is still poor' thread, on which the point was also brought up, moved me to
> really write it.
There's a bug on the tracker about this, please contribute there.
There's no poi
I had already this email draft in my head, but Ananda 'Arch Linux
security is still poor' thread, on which the point was also brought up,
moved me to really write it.
First off, there's an implicit level of trust on the package software,
no matter which OS you use.
When using Windows, you trus
6 matches
Mail list logo
