[Box Backup] Help installing client on Mac OS X
Fri, 5 Oct 2007 00:17:20 +0100 (BST)
On Thu, 4 Oct 2007, Peter Jalajas, TebucoSafe Backups wrote:
> Wow! I am humbled by the incredibly thorough and quick response to my
> request. I love this project! Thank you all who responded!
> A question comes up with these pre-built Mac and Windows packages.
> That is, since we end-users are not building the client parcels
> ourselves, and relying on the generosity and trust of others (Chris,
> Per, etc) to build them for us, we thus create a bit of a security gap
> over which we must take a leap of faith and trust. Does anyone have any
> suggestions for a reasonable way to manage that security risk, to shrink
> that security gap? A client may ask someday.
I'm not sure that downloading and installing a binary package is any
different to downloading, compiling and installing a source package,
UNLESS you take the time to verify the sources by hand.
Assuming that you don't (and I don't, even though I know I should :-) then
it comes down to taking packages (binary or source) only from those who
you trust. Leading to the question, "who do you trust"? Which is one that
I'd be very interested to hear your answers on :-)
E.g. would you trust a package (binary or source) from Fink? From Debian
(Reinhard Tartler)? From Per Thomsen? From me? From Ben? What would your
Would you trust a source or binary package based on trunk less than an
official release with known bugs and a well-known MD5sum?
Would you trust a Microsoft patch with a license agreement that allows
them to install arbitrary software on your machine at a later date? Would
you still trust Microsoft after they installed that arbitrary software
without telling you?
Would you trust a (source or binary) release more if it had a published
MD5 checksum? If it had a PGP signature? Can you actually verify stuff
against my PGP key? Do you trust that it was really me who uploaded that
key? Would you trust my emails more if I PGP-signed them?
In my view it comes down to an element of unknown risk (of bugs more than
trojans) from running newer, less tested code, versus an element of
(better) known risk running older code with known bugs (which might also
be trojaned). And also the reputation of the code authors, the
maintainers, the packagers and the distributors.
Personally I put near-absolute trust in my distro maintainers and the
packages that they choose to release (and whether those packages are
destined to run with root privileges or not) because I feel they they have
more to lose by being publicly humiliated than I do by running their code.
As far as Box is concerned, I trust James to keep our Subversion server
safe, and I trust Subversion to send me commit logs, which I read to
ensure that nothing happens to the Box source without me knowing about it
and understanding what it does (as best this bear of little brain can
So what do "security gap", faith and trust mean for you? I guess we need
better definitions of those terms. At least I do before I can even try to
assuage your doubts.
_____ __ _
\ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |