Re: Building packages with exact binary matches
Ben Finney <bignose+hates-spam@benfinney.id.au> wrote:
> Martin Uecker <muecker@gmx.de> writes:
>
> > On Tue, Sep 25, 2007 at 06:33:40PM -0500, Manoj Srivastava wrote:
> > > Ah, security through blissful ignorance :) You do not
> > > actually trust the archive, or the developers, you trust the
> > > silence.
> >
> > I trust special relativity, because nobody has disproven it yet.
>
> Really? I trust the theory of special relativity because there is
> enormous evidence supporting it, and little evidence against it.
There is enormous evidence for the Aristotle' believe that more
massive objects fall faster and little evidence against it.
Only a carefully crafted experiment shows that it is false.
> In the case of "there are no messages, therefore I trust the security
> of the system", that's faith â belief in spite of an utter lack of
> evidence.
The predictions must be testable by everbody and - of course -
some must actually try to falsify them. Exact binary matches
would allow everbody to check the integrity of the binary
packages and I am quite sure that some people would do it.
In this case "no messages" stating that something is wrong
is not the same as lack of evidence, it is actually evidence
for the assumption that everything is ok.
> > Do you think this is blissfull ignorance, too?
>
> Worse, it's foolish.
It is foolish to base his trust purely on the authority
of some person. People's belief that massive objects
fall faster was based on the authority of Aristotle.
Debian user's trust in the integrity of some binary package
is based on the authority of the person putting a gpg
signature on it.
> In the lack of *any* evidence either way on a question, it's foolish
> to hold any position but "unknown";
That is a common misbelief. Some things are inherently more
probable than other.
> and, if the question is important for a matter of trust,
> it's imperative to *get* some evidence before extending any trust.
That is certainly true.
Martin
Reply to: