1 |
Hi Jeremiah, |
2 |
|
3 |
--On Freitag, Juni 07, 2002 02:34:52 -0700 Jeremiah Mahler |
4 |
<jmahler@×××××××.net> wrote: |
5 |
|
6 |
> If anyone can submit ebuilds and the only way a user can discern between |
7 |
> different ebuilds is by the version number than the following is true: |
8 |
> 1. an ebuild can contain malicious code (worm, virus, etc) |
9 |
> 2. nothing will prevent the user from using a malicious ebuild |
10 |
|
11 |
Clearly, but I think everyone who's ebuild has made it into the |
12 |
distribution (or got signed) has at least a name and an email-address. ;) |
13 |
|
14 |
So he isn't that anonymous that a blackhat needs or wants, if he wants to |
15 |
submit malicious code. |
16 |
|
17 |
And if someone gets a key or access to cvs (or anything which allows him to |
18 |
distribute ebuilds) isn't such a great difference. We have to trust them |
19 |
anyway (as we have to trust those thousands of developers who are writting |
20 |
the programs). |
21 |
|
22 |
To end that discussion (I think we both wants almost the same), I'm just at |
23 |
the point to start it simple (with one key for the server). It isn't much |
24 |
work and it it's no problem to extend that later. |
25 |
|
26 |
Regards, |
27 |
|
28 |
Alexander |