Date: Sun, 16 Jul 2000 14:49:58 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: Will Andrews <andrews@technologist.com> Cc: Jeroen Ruigrok van der Werven <jruigrok@via-net-works.nl>, Hajimu UMEMOTO <ume@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/sysutils/gkrellm/files md5 Message-ID: <Pine.BSF.4.21.0007161447230.85469-100000@freefall.freebsd.org> In-Reply-To: <20000716112616.A535@argon.gryphonsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 16 Jul 2000, Will Andrews wrote:
> On Sun, Jul 16, 2000 at 05:02:02PM +0200, Jeroen Ruigrok van der Werven wrote:
> > The security officers would like to know what exactly changed between
> > the one version and the other. For all we know it could've been
> > trojaned.
>
> The problem with this is that we don't check new-versioned distfiles for
> trojans either. As we've discussed previously, "all or no security
> auditing, there's little point in anything in between".
No, we haven't "discussed" this, but the opinion was stated. *My* opinion
is that trojans are much more likely to happen by simply changing the
distfile than by bogusly releasing a new version.
Besides which, your logic is flawed. Since we cannot audit all source code
in the tree, we should audit none of it? *Anything* we catch is a win.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007161447230.85469-100000>