[Box Backup] Help installing client on Mac OS X

Chris Wilson boxbackup@fluffy.co.uk
Fri, 5 Oct 2007 00:17:20 +0100 (BST) 

Hi Pete,

On Thu, 4 Oct 2007, Peter Jalajas, TebucoSafe Backups wrote:

> Wow!  I am humbled by the incredibly thorough and quick response to my 
> request.  I love this project!  Thank you all who responded!
>
> A question comes up with these pre-built Mac and Windows packages. 
> That is, since we end-users are not building the client parcels 
> ourselves, and relying on the generosity and trust of others (Chris, 
> Per, etc) to build them for us, we thus create a bit of a security gap 
> over which we must take a leap of faith and trust.  Does anyone have any 
> suggestions for a reasonable way to manage that security risk, to shrink 
> that security gap?  A client may ask someday.

I'm not sure that downloading and installing a binary package is any 
different to downloading, compiling and installing a source package, 
UNLESS you take the time to verify the sources by hand.

Assuming that you don't (and I don't, even though I know I should :-) then 
it comes down to taking packages (binary or source) only from those who 
you trust. Leading to the question, "who do you trust"? Which is one that 
I'd be very interested to hear your answers on :-)

E.g. would you trust a package (binary or source) from Fink? From Debian 
(Reinhard Tartler)? From Per Thomsen? From me? From Ben? What would your 
customers trust?

Would you trust a source or binary package based on trunk less than an 
official release with known bugs and a well-known MD5sum?

Would you trust a Microsoft patch with a license agreement that allows 
them to install arbitrary software on your machine at a later date? Would 
you still trust Microsoft after they installed that arbitrary software 
without telling you?

Would you trust a (source or binary) release more if it had a published 
MD5 checksum? If it had a PGP signature? Can you actually verify stuff 
against my PGP key? Do you trust that it was really me who uploaded that 
key? Would you trust my emails more if I PGP-signed them?

In my view it comes down to an element of unknown risk (of bugs more than 
trojans) from running newer, less tested code, versus an element of 
(better) known risk running older code with known bugs (which might also 
be trojaned). And also the reputation of the code authors, the 
maintainers, the packagers and the distributors.

Personally I put near-absolute trust in my distro maintainers and the 
packages that they choose to release (and whether those packages are 
destined to run with root privileges or not) because I feel they they have 
more to lose by being publicly humiliated than I do by running their code.

As far as Box is concerned, I trust James to keep our Subversion server 
safe, and I trust Subversion to send me commit logs, which I read to 
ensure that nothing happens to the Box source without me knowing about it 
and understanding what it does (as best this bear of little brain can 
understand anything).

So what do "security gap", faith and trust mean for you? I guess we need 
better definitions of those terms. At least I do before I can even try to 
assuage your doubts.

Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |