From owner-freebsd-security Tue Jul 25 12:46:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from federation.addy.com (federation.addy.com [208.11.142.20]) by hub.freebsd.org (Postfix) with ESMTP id C80E537B86E for ; Tue, 25 Jul 2000 12:46:15 -0700 (PDT) (envelope-from jim@federation.addy.com) Received: from localhost (jim@localhost) by federation.addy.com (8.9.3/8.9.3) with ESMTP id PAA42324 for ; Tue, 25 Jul 2000 15:46:14 -0400 (EDT) (envelope-from jim@federation.addy.com) Date: Tue, 25 Jul 2000 15:46:14 -0400 (EDT) From: Jim Sander Cc: freebsd-security@FreeBSD.ORG Subject: Re: allow access of root user In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Yes, you do: you read the source code, just like with any other > open-source software. That's true to an extent. If you're installing for your own use, it can be very safe. The risk there would be a malicious or poor implementation, and honestly I'm not a good enough programmer to catch all the cases where that could happen even looking at the source. If you're using a "foreign" applet to connect, it's not as safe- you'd have to decompile the JAVA bytecode back into source in order to make sure what is executing matches what is published. This isn't something I'm likely to do, which is why I made the comments I did. Even open-source code that isn't "branded" by a well-respected organization isn't going to get a lot of trust. (from me) It's simply impossible for me to do an effective audit of every tool I use, so I rely upon the support and trust given by such fine organizations as FreeBSD. :) -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message