1 |
On Thu, Mar 25, 2004 at 07:11:47PM +0000, Chris Bainbridge wrote: |
2 |
> |
3 |
> All of these things might individually be less likely than a direct attack, |
4 |
> but together the possibility that one small security breach, for a single |
5 |
> developer, might occur is more than comparable to the possibility that the |
6 |
> rsync code, which has been extensively audited, might contain an external |
7 |
> exploit. |
8 |
> |
9 |
|
10 |
The difference is that we (the developers) control our machines. rsync |
11 |
mirrors are provided by third parties; we have no control whatsoever |
12 |
over those systems. |
13 |
|
14 |
There will always be the threat of compromise at some level. There are |
15 |
thousands of potential scenarios. Right now we're trying to fix one of |
16 |
them: rsync server compromise. |
17 |
|
18 |
rac relayed an interesting quote to me -- "Don't let perfect get in the |
19 |
way of better" |
20 |
|
21 |
-- |
22 |
Jon Portnoy |
23 |
avenj/irc.freenode.net |
24 |
|
25 |
-- |
26 |
gentoo-dev@g.o mailing list |