Date: Mon, 12 Mar 2018 22:06:34 +0100 From: Kurt Jaeger <lists@opsec.eu> To: Yuri <yuri@rawbw.com> Cc: "ports@freebsd.org" <ports@freebsd.org>, ports-secteam@freebsd.org Subject: Re: sysutils/ipfs-go downloads pre-built binaries while sources are available Message-ID: <20180312210634.GG21001@home.opsec.eu> In-Reply-To: <4f70cd4f-6c19-8651-4362-0db3e3398158@rawbw.com> References: <d69ab122-00be-6ed5-cd01-673003700695@rawbw.com> <B7C49CA0-0C1C-4829-ABE1-FA0629FC355C@adamw.org> <4f70cd4f-6c19-8651-4362-0db3e3398158@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! > On 03/12/18 13:42, Adam Weinberger wrote: > > While source is preferred over binary, we don???t delete ports just > > because they have binary blobs. > Binary downloads have an entirely different trust model. You have to > trust the producer of the binary, vs. with source code it is much more > obvious what does it do. Even a modest amount of HTML mixed with JavaScript can be a deathtrap. So what is source code again ? > Neglect or misunderstanding of this difference > leads to rampant spread of malware on Windows and cell phones. Yes, but the boundary can not be drawn at the 'source' border. My fear is that we do not really understand where the border lies. -- pi@opsec.eu +49 171 3101372 2 years to go !
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180312210634.GG21001>