From owner-cvs-all Sun Jul 16 14:50: 6 2000 Delivered-To: cvs-all@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 2625737B8BD; Sun, 16 Jul 2000 14:49:58 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA85837; Sun, 16 Jul 2000 14:49:58 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sun, 16 Jul 2000 14:49:58 -0700 (PDT) From: Kris Kennaway To: Will Andrews Cc: Jeroen Ruigrok van der Werven , Hajimu UMEMOTO , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/sysutils/gkrellm/files md5 In-Reply-To: <20000716112616.A535@argon.gryphonsoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, 16 Jul 2000, Will Andrews wrote: > On Sun, Jul 16, 2000 at 05:02:02PM +0200, Jeroen Ruigrok van der Werven wrote: > > The security officers would like to know what exactly changed between > > the one version and the other. For all we know it could've been > > trojaned. > > The problem with this is that we don't check new-versioned distfiles for > trojans either. As we've discussed previously, "all or no security > auditing, there's little point in anything in between". No, we haven't "discussed" this, but the opinion was stated. *My* opinion is that trojans are much more likely to happen by simply changing the distfile than by bogusly releasing a new version. Besides which, your logic is flawed. Since we cannot audit all source code in the tree, we should audit none of it? *Anything* we catch is a win. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message