security projects thoughts
Arno Hautala
arno at alum.wpi.edu
Sat Apr 16 13:00:25 PDT 2011
On Sat, Apr 16, 2011 at 14:56, Jordan K. Hubbard <jkh at apple.com> wrote:
>
> Now, all that said, we've been debating this whole topic in something of a rarified atmosphere. If you have a small pile of patches that you are sitting on which actually implement "securing the supply chain" in building ports then that's obviously a different story since you're not only asking for this feature, you're "putting your money where your mouth is" (an english colloquialism not meant to be taken literally) and actually doing the work involved, in which case you should submit them for review and see what people think of your implementation.
I just wanted to throw in the comment that your opinion isn't only
valid if you are contributing code. Not everyone has the skill or time
to do so. I don't farm my own food or drive a delivery truck, but I
can still ask my grocer to stock a new product or look into more
efficient or "green" processes. (--end-weird-analogy--) There are many
for example, who would love to see a security chain which places the
weight on trusting or not trusting MacPorts. They likely understand
that this doesn't mean they're "safe", but still appreciate the
vectors of attack which are now covered.
It also doesn't seem unreasonable at all to enter into a discussion
about what can be done to improve security, what the tradeoffs are,
and where priorities should be placed, without making an initial
contribution of code.
--
arno s hautala /-| arno at alum.wpi.edu
pgp b2c9d448
More information about the macports-dev
mailing list