Date: Wed, 10 Feb 2016 10:11:25 +0100 From: John Marino <freebsdml@marino.st> To: Kurt Jaeger <lists@opsec.eu>, FreeBSD Mailing List <freebsd-ports@freebsd.org> Subject: Re: synth documentation Message-ID: <56BAFEBD.9000004@marino.st> In-Reply-To: <20160210090136.GC46096@home.opsec.eu> References: <56B9EDC7.1010403@ohlste.in> <56B9F2D6.1090107@marino.st> <20160210015708.GN71035@eureka.lemis.com> <56BAF8E0.7020604@marino.st> <20160210090136.GC46096@home.opsec.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/10/2016 10:01 AM, Kurt Jaeger wrote: > Hi! > >> I'm racking my brains and I can't find a single rational reason why >> somebody would refuse the package (especially if building it on an Atom >> is the alternative). > > The famous paper from Ken Thompson: Reflections on trusting trust > > http://dl.acm.org/citation.cfm?doid=358198.358210 > The source is publicly available on github. The only way that Thompson paper could apply is if a trojan is inserted at the FreeBSD package builder level. So I guess [A] could say FreeBSD package builder is compromised (intentionally by FreeBSD project or unknown to all due a hacker). And I guess that could be possible, but the counter is: If you cant' trust packages built by FreeBSD, how can you trust the FreeBSD base not to have a trojan? Which would mean that only the people that *also* build FreeBSD from source would have a leg to stand on. So I will concede that case: If you accept no binaries at all from FreeBSD and only build base and packages from source, then you have a point. But still the response, "Then don't complain" applies. It's a conscious decision and consequences of decisions must be accepted. Beside, this theoretical person will have a lot more issues that lil' ole Synth. It will be in the noise compared to Libreoffice, webkit (x5), kde, etc. John
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56BAFEBD.9000004>