security projects thoughts
Bayard Bell
buffer.g.overflow at googlemail.com
Mon Apr 18 07:27:19 PDT 2011
On 18 Apr 2011, at 15:11, Arno Hautala wrote:
> On Mon, Apr 18, 2011 at 10:02, Bayard Bell
> <buffer.g.overflow at googlemail.com> wrote:
>>
>> I think we need to temper how the examples are flying: an evil network operator can do egregious damage, but macports isn't exactly the thing end of the wedge for exploiting the implied level of trust.
>
> True. Outlandish examples can be saved for extending a system once it exists.
>
> I think my arguments at this point can boil down to looking at other
> package systems. Why do they bother with signing? Are their issues
> relevant to MacPorts? Are their solutions relevant to MacPorts?
I've also spent some time reading up on this lately. There certainly have been a lot of instructive mistakes made out there as other porting and packaging communities have tried to come to grips with this. The answers vary a great deal and the implications aren't strictly obvious (as Daniel points out, this community isn't doing things like code auditing, and the fact that OpenBSD does to some extent for its ports and that it seems a good idea doesn't mean it's viable as a short-term goal). On the other hand, I think there's a degree to which repeating mistakes or failing to adopt sound practices can lead to being flogged by retrospection, so you've got to make decision that bear up under reasoned comparative scrutiny.
> --
> arno s hautala /-| arno at alum.wpi.edu
>
> pgp b2c9d448
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1515 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/macports-dev/attachments/20110418/c2ca3e9b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 841 bytes
Desc: This is a digitally signed message part
URL: <http://lists.macosforge.org/pipermail/macports-dev/attachments/20110418/c2ca3e9b/attachment-0001.bin>
More information about the macports-dev
mailing list