2.2.1
Benoit T
benoit.triquet at gmail.com
Fri Oct 25 11:35:27 PDT 2013
On Fri, Oct 25, 2013 at 12:04:28PM -0500, Ryan Schmidt wrote:
> > I could easily sign it, it just really ought to be signed by the person
> > who built it.
>
> Why?
Because anyone could replace your message without the recipient knowing.
Admittedly, it is not that trivial but that does not mean that the risk
(in the sense of plausibility, not random events) is low because the
reward of "rootkit-ing" MacPorts would be huge!
If the signer is the builder, then their build host would have to be
owned for macports to be rooted, which is also possible but even harder
for an attacker.
So, kudos for the not-so-many core developers of macports who have both
the power and the responsibility (insert Spiderman quote here) to uphold
the integrity of macports, and thanks in advance for continuing to do
so, whoever you are :-)
Cheers
--
Benoit Triquet <benoit.triquet at gmail.com>
More information about the macports-dev
mailing list