[Slackbuilds-users] Corcern about sources' procedence
gmartin at gmartin.org
Thu Jun 9 16:02:36 UTC 2011
On Thu, Jun 9, 2011 at 11:11 AM, Klaatu <notklaatu at straightedgelinux.com>wrote:
> There's no need to follow links from SlackBuilds.org for anything more than
> the SlackBuild itself, which you can audit and verify manually. Proceed to
> your trusted site for the source code, grab the source, edit the SlackBuild
> script as needed, and build.
> I guess the larger issue, really, as Ben I think is saying, how do you know
> ANY source code you download is trustworthy? As Ken Thompson says in Ben's
> link (great article, btw, thanks for the link Ben) "The moral is obvious.
> can't trust code that you did not totally create yourself."
> -- klaatu
To me this comes down to reputation within the community. I don't know
anyone involved in the snort project and have no reason to trust their code
except that it is public and open and hopefully there are eyes looking for
such things. But in the end is is a large, faceless community - to me.
Enter Niels (thanks, btw, for lending us your reputation for this
discussion). He is part of a much smaller and more well known to me group -
the slackbuild contributers. While I know the slackbuild admins are only
reviewing the script, and not Niels copy of of version x.y.z, he has,
nevertheless, developed a large positive personal reputation in the
community. He could choose to burn that trust and we likely would not
discover it right away. But the fact that he has earned his reputation over
time is an indicator that he is less likely to harm in the future.
For me, it is easier to trust Niels then Snort due to the size of ther SB
community and my closer connection to it.
Perhaps the thing for you to do is spot check his (and others') tar ball
against the site's published signature (assuming it is available) for that
version. This would give both trust AND verify .
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the SlackBuilds-users