| 1 |
My beef with binary packages has always been with statically linked |
| 2 |
apps. |
| 3 |
|
| 4 |
Say there is a vulnerability in zlib. Some very notable pieces of |
| 5 |
software statically linked to it and were vulnerable. If you merely |
| 6 |
install the zlib binary, you secure your dynamically linked stuff, but |
| 7 |
not stically linked stuff. |
| 8 |
|
| 9 |
With a source based distro, it is easy to "emerge system; emerge world" |
| 10 |
(yes, recompile the lot). If you use packages that aren't freshened (ie, |
| 11 |
you are made to bring the source down for things you previously got |
| 12 |
binary), you are still possibly using vulnerable code. Maybe not, but to |
| 13 |
be sure you either audit your install, or you recompile the lot. |
| 14 |
|
| 15 |
This is the done thing in OpenBSD for security reasons. Anytime a |
| 16 |
security advisory is applied to the base system libraries, everyone does |
| 17 |
a "build world". |
| 18 |
|
| 19 |
Possibly, every time a library is known to be vulnerable (especially |
| 20 |
core ones), one's package repository could be rebuilt and then "-r" tags |
| 21 |
bumped up one. But warning the user of updated binary packages isn't |
| 22 |
built into portage yet. |
| 23 |
|
| 24 |
I think if Gentoo gets big enough, binary packages will become a big |
| 25 |
part of it for dialup (where downloads are longer than compiles - like |
| 26 |
me) but the inbuilt logic of source recompile will hopefully never be |
| 27 |
lost. In otherwords, Gentoo users should always be prepared to |
| 28 |
recompile (unless they don't care - which isn't the attitude to breed) |
| 29 |
|
| 30 |
Evan. |
| 31 |
|
| 32 |
On Mon, 2002-10-07 at 07:50, Cedric Veilleux wrote: |
| 33 |
> I do agree with you, there are important security issues with pre-compiled |
| 34 |
> packages. |
| 35 |
> |
| 36 |
> Although gentoo would not be the first distro / OS to provide binary packages. |
| 37 |
> Does this mean that all others are insecure? Certainly not. Packages would |
| 38 |
> simply have to come from a trusted source. |
| 39 |
> |
| 40 |
> Pre-compiled is certainly not for every users. I do prefer to compile my own |
| 41 |
> packages most of the time. Although, some times I think it would be nice to |
| 42 |
> have some kind of repository of pre-compiled packages where I could check if |
| 43 |
> a particuliar package is available for my architecture and save hours of |
| 44 |
> compile time. |
| 45 |
> |
| 46 |
> |
| 47 |
> Thank you, |
| 48 |
> |
| 49 |
> Cedric |
| 50 |
> |
| 51 |
> |
| 52 |
> |
| 53 |
> |
| 54 |
> |
| 55 |
> On October 6, 2002 05:31 pm, Owen Stampflee wrote: |
| 56 |
> > On Sunday 06 October 2002 2:30 pm, Cedric Veilleux wrote: |
| 57 |
> > > I seem to be one of the few gentoo user who would like to use a |
| 58 |
> > > few binary packages to save some compilation time when needed... I made |
| 59 |
> > > these packages available, hoping that more people will do the same and |
| 60 |
> > > eventually some form of organized repository or peer 2 peer system is put |
| 61 |
> > > in place.. |
| 62 |
> > |
| 63 |
> > bad bad idea. Think security. |
| 64 |
> > Malicious contributor a, puts out a package that includes some bad holes, |
| 65 |
> > that malicious contributor now owns your computer. |
| 66 |
> > |
| 67 |
> > Have a nice day, |
| 68 |
> > Owen |
| 69 |
> |
| 70 |
> _______________________________________________ |
| 71 |
> gentoo-dev mailing list |
| 72 |
> gentoo-dev@g.o |
| 73 |
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev |
| 74 |
> |
| 75 |
-- |
| 76 |
For security use OpenBSD: http://eread.freeshell.org/ |
| 77 |
"The future comes 60 minutes an hour no matter who you are or what you |
| 78 |
do." |
| 79 |
The Screwtape Letters - C.S. Lewis |
Archives