OT: Whose packages to use?

Jay R. Ashworth jra at baylink.com
Fri Apr 28 11:46:04 PDT 2006


On Thu, Apr 27, 2006 at 11:11:21PM -0400, Fairlight wrote:
> The honourable and venerable Jay Ashworth spoke thus:
> > This does have one disadvantage, though, Bill: as soon as you start 
> > packaging your own apps, *you* take on the responsibility for tracking
> > all those apps for security fixes, and all the testing, etc...
> 
> Any decent admin will likely be on the security lists and on top of this
> stuff anyway, though...

It's too big a job, IMO.  I like to think I *am* a decent admin, and
there's no way I could cope with it.  That's why I pay distribution
packagers.

> > This is one of the reasons I personally prefer to stick with 
> > the distro's packages (or the app supplier's), whenever possible.  The 
> > tradeoff seems a win to me...
> 
> I'll take vendor-supplied.  If I can't get that, I'll take source-only
> where available.  I've never liked non-vendor binary distributions, mostly
> because they sometimes tend to put things in locations I don't agree with,

No argument here.

> and they're also not the vendor.  If the vendor does it, it at least
> (usually!) matches the "rationale" for the system layout, and is a logical
> configuration.  If I can't have something that matches the vendor setup,
> guaranteed, I'll just roll it so it does.

Indeed.

> Actually, I dislike binary dists for another reason:  I don't like trusting
> binaries that are prebuilt.  Obviously one doesn't have the time or money
> to compile the entire OS from source.  But in an overall sense, after you
> have your "trusted" core system, any apps--I feel should be done from
> source.

Oh yeah: if you're talking about specific application packages, and
your distro (or the app vendor) doesn't package them for your OS
version, definitely, build your own.

> And trusting application developers these days is getting harder as well.
> There's a DirectX instant messaging client called xfire.  You use it in an
> overlay mode on top almost any DX or OpenGL game.  A friend introduced me
> to it, and we loved it--until he thought one of my systems was infected
> and/or hacked here because he was getting port scanned like crazy--from
> MY router's IP#.  I did full virus and spyware sweeps on both Windows
> machines.  Nada.  Totally clean as a whistle.  I did a full audit on the
> linux box.  Also nothing amiss.  Finally we started to notice a trend; he
> was only getting port scanned (and we're talking a thorough kind of port
> scan here) when we both had xfire running.  Obviously a real trustworthy
> application, right?  I couldn't delete it fast enough.  Surprisingly,
> Activision now underwrites that application.  They either subsidize it, or
> they bought them outright, as it's being bundled with Activision games--got
> another copy with something I recently bought.  Pity, it was a -great-
> tool...ICQ-ish without flipping out of game...but the side-effects were
> wholly unacceptable.  At any rate, this was distributed as-intended, and
> you couldn't trust it.  If the source had been open, maybe someone would
> have found it a lot sooner.  

Eek!

> The point is though, even if MD5 sum files are generated for a binary dist,
> they don't really prove much.  If you can manage to replace the dist,
> you can manage to replace the md5 file, unless they're kept on separate
> servers.  I've always failed to see the trust chain in people providing
> them for exactly that reason.  If they're sitting in the same directory on
> the same server, I think it's worthless.  If there were two separate
> servers to crack, that might make it a bit more trustworthy.

Yeah.

Cheers,
-- jra
-- 
Jay R. Ashworth                                                jra at baylink.com
Designer                          Baylink                             RFC 2100
Ashworth & Associates        The Things I Think                        '87 e24
St Petersburg FL USA      http://baylink.pitas.com             +1 727 647 1274

     A: Because it messes up the order in which people normally read text.
     Q: Why is top-posting such a bad thing? 
     
     A: Top-posting.
     Q: What is the most annoying thing on Usenet and in e-mail?


More information about the Filepro-list mailing list