From owner-freebsd-ports@freebsd.org  Mon Mar 12 21:06:32 2018
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C984DF4A976
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Mon, 12 Mar 2018 21:06:32 +0000 (UTC) (envelope-from lists@opsec.eu)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 6D1697279A
 for <freebsd-ports@freebsd.org>; Mon, 12 Mar 2018 21:06:32 +0000 (UTC)
 (envelope-from lists@opsec.eu)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 2C7BCF4A973; Mon, 12 Mar 2018 21:06:32 +0000 (UTC)
Delivered-To: ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19F32F4A972;
 Mon, 12 Mar 2018 21:06:32 +0000 (UTC) (envelope-from lists@opsec.eu)
Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A63B672798;
 Mon, 12 Mar 2018 21:06:31 +0000 (UTC) (envelope-from lists@opsec.eu)
Received: from pi by home.opsec.eu with local (Exim 4.89 (FreeBSD))
 (envelope-from <lists@opsec.eu>)
 id 1evUeQ-000KKu-U2; Mon, 12 Mar 2018 22:06:34 +0100
Date: Mon, 12 Mar 2018 22:06:34 +0100
From: Kurt Jaeger <lists@opsec.eu>
To: Yuri <yuri@rawbw.com>
Cc: "ports@freebsd.org" <ports@freebsd.org>, ports-secteam@freebsd.org
Subject: Re: sysutils/ipfs-go downloads pre-built binaries while sources are
 available
Message-ID: <20180312210634.GG21001@home.opsec.eu>
References: <d69ab122-00be-6ed5-cd01-673003700695@rawbw.com>
 <B7C49CA0-0C1C-4829-ABE1-FA0629FC355C@adamw.org>
 <4f70cd4f-6c19-8651-4362-0db3e3398158@rawbw.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4f70cd4f-6c19-8651-4362-0db3e3398158@rawbw.com>
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2018 21:06:32 -0000

Hi!

> On 03/12/18 13:42, Adam Weinberger wrote:
> > While source is preferred over binary, we don???t delete ports just 
> > because they have binary blobs. 

> Binary downloads have an entirely different trust model. You have to 
> trust the producer of the binary, vs. with source code it is much more 
> obvious what does it do.

Even a modest amount of HTML mixed with JavaScript can be a deathtrap.

So what is source code again ?

> Neglect or misunderstanding of this difference 
> leads to rampant spread of malware on Windows and cell phones.

Yes, but the boundary can not be drawn at the 'source' border.
My fear is that we do not really understand where the border lies.

-- 
pi@opsec.eu            +49 171 3101372                         2 years to go !