From owner-freebsd-ports@freebsd.org Wed Feb 10 09:11:29 2016 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C6AE5AA3AA9 for ; Wed, 10 Feb 2016 09:11:29 +0000 (UTC) (envelope-from freebsdml@marino.st) Received: from shepard.synsport.net (mail.synsport.com [208.69.230.148]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A0114A5A for ; Wed, 10 Feb 2016 09:11:29 +0000 (UTC) (envelope-from freebsdml@marino.st) Received: from [192.168.1.21] (248.Red-83-39-200.dynamicIP.rima-tde.net [83.39.200.248]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by shepard.synsport.net (Postfix) with ESMTP id A031443C07; Wed, 10 Feb 2016 03:11:27 -0600 (CST) Subject: Re: synth documentation To: Kurt Jaeger , FreeBSD Mailing List References: <56B9EDC7.1010403@ohlste.in> <56B9F2D6.1090107@marino.st> <20160210015708.GN71035@eureka.lemis.com> <56BAF8E0.7020604@marino.st> <20160210090136.GC46096@home.opsec.eu> From: John Marino X-Enigmail-Draft-Status: N1110 Message-ID: <56BAFEBD.9000004@marino.st> Date: Wed, 10 Feb 2016 10:11:25 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 In-Reply-To: <20160210090136.GC46096@home.opsec.eu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Feb 2016 09:11:29 -0000 On 2/10/2016 10:01 AM, Kurt Jaeger wrote: > Hi! > >> I'm racking my brains and I can't find a single rational reason why >> somebody would refuse the package (especially if building it on an Atom >> is the alternative). > > The famous paper from Ken Thompson: Reflections on trusting trust > > http://dl.acm.org/citation.cfm?doid=358198.358210 > The source is publicly available on github. The only way that Thompson paper could apply is if a trojan is inserted at the FreeBSD package builder level. So I guess [A] could say FreeBSD package builder is compromised (intentionally by FreeBSD project or unknown to all due a hacker). And I guess that could be possible, but the counter is: If you cant' trust packages built by FreeBSD, how can you trust the FreeBSD base not to have a trojan? Which would mean that only the people that *also* build FreeBSD from source would have a leg to stand on. So I will concede that case: If you accept no binaries at all from FreeBSD and only build base and packages from source, then you have a point. But still the response, "Then don't complain" applies. It's a conscious decision and consequences of decisions must be accepted. Beside, this theoretical person will have a lot more issues that lil' ole Synth. It will be in the noise compared to Libreoffice, webkit (x5), kde, etc. John