[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Contribute to pf(4)

To: Daniel Hartmeier <daniel@benzedrine.cx>
Subject: Re: Contribute to pf(4)
From: "Joseph W. Shaw II" <mrman@darkside.org>
Date: Tue, 16 Jul 2002 07:14:27 -0500 (CDT)
Cc: misc@openbsd.org

On Tue, 16 Jul 2002, Daniel Hartmeier wrote:

> I can only speak for myself, but in my experience, instead of offering
> to do something, you should just do it. Yes, you risk doing something
> that might not be received well in the end, or you have to do it just to
> get people's attention to talk to you about how to do it right, and you
> then have to do it again. Maybe not perfect, but still worthwhile in my
> opinion. I guess there have been just much more discussions lacking
> results than results lacking prior discussion.

The point I was trying to make is that with binary packages there is an
amount of trust that must be there in order for someone as paranoid as me
to use them.  Now, I have a compiler for my platforms, so I patch source
and fix what I need to that way that's one of the reasons why I moved from
Linux to OpenBSD in the first place.  I didn't want to deal with rpm,
aptget, or the other flavors of Linux package installation utilities.

Now, I could make binary packages and distribute them, but who's to say I
won't put a backdoor in the packages?  You could strings against the
binary and look for evidence of the backdoor, but there are ways around
that.  So, I could start making backdoored binaries that no one finds and
keep doing so until I gain the trust of the community and am placed into a
position of trust and people accept my binary packages as legit.  Then I
start exploiting these systems and doing whatever with them.  So, how do
you establish trust in someone to do it and not exploit you?  I trust the
OpenBSD team not to do something like that, even if Theo and I don't get
along.

Ultimately, you have to be able to trust whoever supplies these packages
and how does one build that trust?

Then again, I suppose it's possible to use the fixes worked into the
snapshots as a sort of binary package system if you extract the specifics
of what you need and the libraries are the same.  But I've never used the
non-i386 snapshots so I'm not sure how often they get updated or even if
it would be practical.  I'll play around with that after I wake up.

--
Joseph

Follow-Ups:
- Re: Contribute to pf(4)
  - From: Daniel Hartmeier <daniel@benzedrine.cx>

References:
- Re: Contribute to pf(4)
  - From: Daniel Hartmeier <daniel@benzedrine.cx>

Prev by Date: Re: question on cdrecord command..
Next by Date: Re: Contribute to pf(4)
Prev by thread: Re: Contribute to pf(4)
Next by thread: Re: Contribute to pf(4)
Index(es):
- Date
- Thread