[Slackbuilds-users] Corcern about sources' procedence

Bradley D. Thornton Bradley at NorthTech.US
Thu Jun 9 23:18:52 UTC 2011

Hash: RIPEMD160

On 06/09/2011 04:45 AM, Hac Er wrote:

> The question remains: How do administrators decide if the links they
> post are trustworthy?

Well, since you're asking, I might as well get all socratic on you too:

"How do you know that the upstream, original author/maintainer of the
software you want to run is trustworthy?

Oh, I'm sorry... That was a Rhetorical question wasn't it? (Answer:
YES). And about 10 messages back there's a link to Ken Thompson's
treatment of that same question.

The outcome of that treatment? You can't be certain at all unless you
wrote it yourself.

Let take a moment now to poke a couple of holes into the notions which
you infer *could* exist here.

First, when someone submits a SlackBuild, a member of the SBo team vets
it out. The checksum you see at SlackBuilds.org for any particular
source won't match what you download if something changes (up thar in
that cloud thingy). sbopkg does a bit of work for you toward that end
that I am certain many people just disregard performing manually
themselves, and at times, I've been in a rush to launch a new server and
have been guilty of it myself.

Second, There really isn't anything to trust here, and the site pretty
much says so too. you get a very small script, which is overwhelmingly
just a boilerplate. So if an SBo maintainer were to do anything funky...

It's all on you Bob. Read that <package_name>.SlackBuild.

Third, at some point you're going to have to go to the grocery store. I
know you wouldn't trust getting there in a Ford Pinto with Firestone
500's, but even if you walked, there are one legged crack mamas waiting
to stab you in the heart for another 20 dollar rock.

Fourth, There is indeed software that I don't personally trust. I don't
trust selinux, or anything from those bozos; I don't trust Canonical, or
Microsoft, or Skype, or yahoo, or Oracle, or many many others either -
yet I nonetheless still use some of their products.

Fifth, it simply isn't the job of an SBo maintainer, or SlackBuilds.org,
to audit upstream software - it's yours, if you choose to do so... or not.

sixth, I would be much more concerned with the sofware management
systems of "Other distros" besides Slackware - like Gentoo, FreeBSD (k.,
separate  flavour, not a distro, I know), SourceMage, Sorcerer,
LunarLinux.... Oh, gee! most of those are *source based* distributions
aren't they?

I would also be very concerned about repos like rpmforge (now
repoforge), rpmfind.net, blah blah blah - who the heck are those
packagers? And how much more dificult is it to track what is going on there?

Let's take Sorcerer Linux, for example. People here Trust Pat, we also
trust the SBo team - these are people that have been vetted out over a
long period of time. Sure, someone could go off their meds, but that's
not what we're talking about really.

I also use Sorcerer, and like Pat, Kyle doesn't stand to gain any
advantage from wheeling a trojan horse into his little city. But in
order for the end user to ascertain what you're asking us how we
ascertain with regards to SBo's, the difference in the amount of work
involved is several orders of magnitude greater for a source based
distro than it is for someone Examining a SlackBuild.

With Sorcerer, add to that the fact that in order to speed things up,
Kyle uses Delta Patching and rsync to trim bandwidth and time in
obtaining the source - how hard would that be to scrutinize compared to
a *.SlackBuild?

Seventh, even if you LFS, you're still left with the Ken Thompson
paradox mentioned above wrt the source code you didn't write the
compiler for.

We really have no idea how many easter eggs, trojans, and back doors
exist at this very moment within our respective operating environments
(Unless you use Sony products, then you know you've got rootkits) - none
of us do. Software is piled layer upon layer so deep that generations of
coders have probably passed away that left a benign backdoor in their
products - intended for tech support perhaps, yet still lurking as
tomorrows 0day exploits.

eighth, ...drat. My daughter just came in and derailed my train of
thought. But I was on a roll there for a while wasn't I?

The bottom line is: "I'm not Bill Joy. I can't write UNIX from scratch
in a single, frenzied, marathon diet dew inspired episode, come out of
my cave, and have a completed product - Trust is always something you
can lose, but not something you must necessarily be required to earn ;)

I hope that helps :)

Kindest regards,

- -- 
Bradley D. Thornton
Manager Network Services
NorthTech Computer
TEL: +1.760.666.2703  (US)
TEL: +44.203.318.2755 (UK)

Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Find this cert at x-hkp://pool.sks-keyservers.net


More information about the SlackBuilds-users mailing list