[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Binary release announcements?

From: Greg A. Woods
Subject: RE: Binary release announcements?
Date: Wed, 18 Feb 2004 18:59:40 -0500 (EST)

[ On Wednesday, February 18, 2004 at 11:25:56 (-0500), Patton, Matthew E., CTR, 
OSD-PA&E wrote: ]
> Subject: RE: Binary release announcements?
> Like ANYBODY who looks at the CVS code can trust it! So it's not as bad as
> qmail and other hideous projects out there but the code-base is anything but
> "reassuring". Hell, I broke the build on v1.11.11 just by not enabling the
> pserver capability - that self-same capability that everybody maintains is
> "dangerous". Not to mention it's a list mantra that CVS was never designed
> with security in mind. And you think it deserves to be trusted in any way
> shape or form?

You're confusing your "levels"(?) of trust, without any apparent regard
for the threat models involved.

The issues w.r.t. trusting binaries are wholely separate from the issues
surrounding the inappropriate use of the CVS code to do authentication
and authorisation.

I.e. you don't have to remove the CVS pserver code in order to avoid
using it in an unsafe manner -- at least not on any unix-like host.

> CVS is a gnat in the scheme of things. If pre-built binaries was such a
> problem why do zillions of *BSD, Linux, *nix, windoze users do nothing but
> install binaries (and MS doesn't even sign their stuff)?

The important thing is knowing where the binary came from.

I'll only install *BSD binaries that come on a verified and verifiable
CD-ROM, or that I can download off the net and verify with some form of
signature (preferably PGP-like, though MD5s are better than nothing).

In fact I do the same with all source code archives as well, and have
done ever since people started posting checksums and cryptographic file

The cool thing about the *BSD projects is that one can do all add-on
software upgrades right from source with full third-party signature
verification, and by typing only one command.

> The opportunity to
> trojan Linux or OpenBSD is FAR more attractive than diddling with a source
> control system.

Indeed it is which is why so many more people keep independent copies of
the sources and do independent verification of all changes to those

> Or anyone running a mirror could likewise play games.

That's why the *BSD projects use independent third-party cryptographic
signatures to verify all source code archives the user downloads.

                                                Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <address@hidden>
Planix, Inc. <address@hidden>          Secrets of the Weird <address@hidden>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]