Re: Who builds YOUR binary RPMs?

To: Tim Jones <tim@timjones.com>, Tom Schaefer <netd@mindspring.com>
Cc: l'enfoire <kanezfan@hotmail.com>, flux@cs.fiu.edu
Subject: Re: Who builds YOUR binary RPMs?
From: Kenneth Scharf <scharkalvin@yahoo.com>
Date: Wed, 1 Mar 2000 07:02:30 -0800 (PST)
Message-id: <[🔎] 20000301150230.3591.qmail@web2104.mail.yahoo.com>

There are two questions to this issue:
1: Do you trust your distro?
2: Do you trust your distro's ftp site.

Question number two is really a matter of the site
having been hacked and a trojan (or a coo-coo) being
planted.

I use debian, and I DO trust them.  I would never have
a problem downloading a .deb file from the official
debian site or a trusted mirror.  In fact it is a
little different with .deb's.  RPM's are EVERYWHERE,
and ANY Tom, Dick, or Harry can create them.  DEB's
seem to be created mostly by Debian personal (though
there are some non-official ones).  The reason for
this is that the tools necessary to create DEB's are
not as well documented and understood, so only real
debian developers are using them.  Of course with
Corel and Stormix in the picture now, this might be
changing.

--- Tim Jones <tim@timjones.com> wrote:
> Tom Schaefer wrote:
> > 
> > I know this is a Linux list, but a friend of mine
> had this
> > exchange with one of the people from FreeBSD back
> in November,
> > regarding Linux vs. FreeBSD and I thought you
> folks might like
> > to read it ... it may prompt some of you to
> actually go make a
> > boot floppy and install straight from the net ...
> Keith, my
> > friend had written an article, to which Daniel
> Sobral,
> > (FreeBSD) responded, and this is only one of
> several of the
> > emails exchanged:
> > 
> > ===== cut here =====
> 
> Wow, Tom, thanks for copying me on this exchange.  I
> found it
> VERY interesting.  This, plus Carlos's information
> that there ARE
> indeed multiple fallback sites built in for
> everything under
> /usr/ports, makes me want to explore FreeBSD so much
> more.  
> 
> One other thing that I noticed during my FreeBSD
> box's
> compilation, but forgot about until reminded by that
> article, was
> that the source packages' MD5 checksums are part of
> the process
> to help ensure that you're not downloading a trojan.
>  
> 
> This brings up a serious trust issue: It's only a
> matter of time
> (could have already happened, for all we know)
> before somebody at
> one of the RPM-based distro companies inadvertantly
> puts out a
> binary RPM that does something nasty and/or covert
> to our
> systems.  Or maybe it won't be so innocent: some
> scummy PHB will
> get the bright idea to have the coders slip in a
> piece of code to
> 'survey' which programs we use the most, or to
> 'sign' content you
> produce with your ethernet card's MAC address (MS
> does this with
> Word, they called it a bug, gimme a break!)  Yes,
> they provide
> SRPMS too, but how do you know the RPMS came
> directly from the
> SRPMS?  
> 
> The question comes down to:  Do you trust your
> distro provider to
> build all of your binaries cleanly?  In a couple
> years when
> pressure comes from Wall Street to turn a profit or
> lose that
> huge market capitalization, can we trust them to
> still play
> straight with us?
> 
> Don't get me wrong: I'm very pro-business!  I work
> for myself,
> and am doing pretty nicely, and hope to do even
> better - it's
> wonderful, I wish more people could enjoy it... but
> the misdeeds
> of the very largest companies (MS, AOL, Disney,
> Sony, Amazon,
> Real Networks, MPAA/DVD-CSS, GTE, Bellsouth, Network
> Solutions,
> you get the idea) have taught me to distrust the
> very largest
> players.  After money comes power, and in our world,
> these guys'
> idea of power includes intentional backdoors,
> sabotaging
> competing software, selective platform support,
> eyeballs, spam,
> restrictive contracts, and ads.  I don't see that
> Linux companies
> are inherently immune to these things.
> 
> I'm starting to think that building all your
> software only from
> trusted source *.tar.gz files is going to become
> standard
> practice among the paranoid (yes, I lean that way
> too, can you
> tell?).  FreeBSD does that right now, and we need to
> either add
> Linux to the /usr/ports system, or come up with
> something similar
> in order to guard against these potential abuses.
> 
> What do you think?
> 
> Tim
>
---------------------------------------------------------------------------
> Brought to you by the Florida Linux User Xchange,
> FLUX.
> Visit our webpage at:  http://www.flux.org
> Mailing list subscription issues:
> http://www.flux.org/members/list.html
> 

=====
Amateur Radio, when all else fails!

http://www.qsl.net/wa2mze

Debian Gnu Linux, Live Free or .....


__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

Reply to:

Follow-Ups:
- Re: Who builds YOUR binary RPMs?
  - From: aphro <nate@firetrail.com>
- Re: Who builds YOUR binary RPMs?
  - From: Shaun Cloherty <s.cloherty@gsbme.unsw.edu.au>

Prev by Date: fvwm95 and icons
Next by Date: Re: xfs-xtt
Previous by thread: Re: fvwm95 and icons
Next by thread: Re: Who builds YOUR binary RPMs?
Index(es):
- Date
- Thread