[Slackbuilds-users] Corcern about sources' procedence

Jens Weber - Tuxane.com jens at tuxane.com
Fri Jun 10 15:05:58 UTC 2011


Am 10.06.2011 01:18, schrieb Bradley D. Thornton:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
>
>
> On 06/09/2011 04:45 AM, Hac Er wrote:
>
>> The question remains: How do administrators decide if the links they
>> post are trustworthy?
> Well, since you're asking, I might as well get all socratic on you too:
>
> "How do you know that the upstream, original author/maintainer of the
> software you want to run is trustworthy?
>
> Oh, I'm sorry... That was a Rhetorical question wasn't it? (Answer:
> YES). And about 10 messages back there's a link to Ken Thompson's
> treatment of that same question.
>
> The outcome of that treatment? You can't be certain at all unless you
> wrote it yourself.
>
> Let take a moment now to poke a couple of holes into the notions which
> you infer *could* exist here.
>
> First, when someone submits a SlackBuild, a member of the SBo team vets
> it out. The checksum you see at SlackBuilds.org for any particular
> source won't match what you download if something changes (up thar in
> that cloud thingy). sbopkg does a bit of work for you toward that end
> that I am certain many people just disregard performing manually
> themselves, and at times, I've been in a rush to launch a new server and
> have been guilty of it myself.
>
> Second, There really isn't anything to trust here, and the site pretty
> much says so too. you get a very small script, which is overwhelmingly
> just a boilerplate. So if an SBo maintainer were to do anything funky...
>
> It's all on you Bob. Read that<package_name>.SlackBuild.
>
> Third, at some point you're going to have to go to the grocery store. I
> know you wouldn't trust getting there in a Ford Pinto with Firestone
> 500's, but even if you walked, there are one legged crack mamas waiting
> to stab you in the heart for another 20 dollar rock.
>
> Fourth, There is indeed software that I don't personally trust. I don't
> trust selinux, or anything from those bozos; I don't trust Canonical, or
> Microsoft, or Skype, or yahoo, or Oracle, or many many others either -
> yet I nonetheless still use some of their products.
>
> Fifth, it simply isn't the job of an SBo maintainer, or SlackBuilds.org,
> to audit upstream software - it's yours, if you choose to do so... or not.
>
> sixth, I would be much more concerned with the sofware management
> systems of "Other distros" besides Slackware - like Gentoo, FreeBSD (k.,
> separate  flavour, not a distro, I know), SourceMage, Sorcerer,
> LunarLinux.... Oh, gee! most of those are *source based* distributions
> aren't they?
>
> I would also be very concerned about repos like rpmforge (now
> repoforge), rpmfind.net, blah blah blah - who the heck are those
> packagers? And how much more dificult is it to track what is going on there?
>
> Let's take Sorcerer Linux, for example. People here Trust Pat, we also
> trust the SBo team - these are people that have been vetted out over a
> long period of time. Sure, someone could go off their meds, but that's
> not what we're talking about really.
>
> I also use Sorcerer, and like Pat, Kyle doesn't stand to gain any
> advantage from wheeling a trojan horse into his little city. But in
> order for the end user to ascertain what you're asking us how we
> ascertain with regards to SBo's, the difference in the amount of work
> involved is several orders of magnitude greater for a source based
> distro than it is for someone Examining a SlackBuild.
>
> With Sorcerer, add to that the fact that in order to speed things up,
> Kyle uses Delta Patching and rsync to trim bandwidth and time in
> obtaining the source - how hard would that be to scrutinize compared to
> a *.SlackBuild?
>
> Seventh, even if you LFS, you're still left with the Ken Thompson
> paradox mentioned above wrt the source code you didn't write the
> compiler for.
>
> We really have no idea how many easter eggs, trojans, and back doors
> exist at this very moment within our respective operating environments
> (Unless you use Sony products, then you know you've got rootkits) - none
> of us do. Software is piled layer upon layer so deep that generations of
> coders have probably passed away that left a benign backdoor in their
> products - intended for tech support perhaps, yet still lurking as
> tomorrows 0day exploits.
>
> eighth, ...drat. My daughter just came in and derailed my train of
> thought. But I was on a roll there for a while wasn't I?
>
> The bottom line is: "I'm not Bill Joy. I can't write UNIX from scratch
> in a single, frenzied, marathon diet dew inspired episode, come out of
> my cave, and have a completed product - Trust is always something you
> can lose, but not something you must necessarily be required to earn ;)
>
> I hope that helps :)
>
> Kindest regards,
>
>
>
> - -- 
> Bradley D. Thornton
> Manager Network Services
> NorthTech Computer
> TEL: +1.760.666.2703  (US)
> TEL: +44.203.318.2755 (UK)
> http://NorthTech.US
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Find this cert at x-hkp://pool.sks-keyservers.net
>
> iQEcBAEBAwAGBQJN8VTbAAoJEE1wgkIhr9j3PsgH/jNO9krPIBuKWcRPKtUfSXXw
> 2NnSl/LxN/3GFTzPpsDF0HLQ8BuuFBy8PZkhSpGE0BpGD/rLjy2PILHiPU3dDNse
> Xc3Sb1Tm30EpGg9F62AW4qmmcXlyqAFpbD8vPshebdYFmLgvxXG7w8vxz80fc3ee
> Sw6sHl11Yhvosyhyr7MLAOOUL1MMoAEnrwjOq0i5mwZ+cHRVefOPd2AfYlg6n4G7
> k/rqvXAWrfDycnMPre61ceykpi+hrD3pcBKncrsOetBMKFcYMbVghLol5yQg+JEM
> KNotLtbI2Aa/3qD3tcFEBb4YD8WI9Y7EHgtVJ9ySlDtM21+HEp0V+uxljBpuEcA=
> =2wqX
> -----END PGP SIGNATURE-----
> _______________________________________________
> SlackBuilds-users mailing list
> SlackBuilds-users at slackbuilds.org
> http://lists.slackbuilds.org/mailman/listinfo/slackbuilds-users
> Archives - http://lists.slackbuilds.org/pipermail/slackbuilds-users/
> FAQ - http://slackbuilds.org/faq/
>
And how can I trust the intention of such a topic when it has been 
started from a HOTMAIL account ?? :)


More information about the SlackBuilds-users mailing list