This is the mail archive of the
cygwin@sources.redhat.com
mailing list for the Cygwin project.
Re: missing tsort in textutils.tar.gz
- To: "Charles Wilson" <cwilson at ece dot gatech dot edu>
- Subject: Re: missing tsort in textutils.tar.gz
- From: "Dave Arnold" <avr_fan at nettaxi dot com>
- Date: Fri, 7 Jul 2000 20:20:25 -0700
- Cc: <cygwin at sourceware dot cygnus dot com>
- Reply-To: "Dave Arnold" <avr_fan at mailandnews dot com>
hi Charles,
sorry to use cygutils as an example in the question. No offense was
intended, I had just never thought about the "trust" issue between
cynus and all the various contributors that exist and the fact that since
it's open source someone could sneek something in. After seeing mention
of virus scanning etc in the earlier discussion I realized how much trust I
had put on everything I downloaded because I didn't scan one thing
after downloading, so I was curious what measures were being taken
on the server side to protect such trusting persons as myself who don't
even think of scanning something they download from a site they just
discovered 5 minutes ago.
I've never used open source software until I stumbled upon cygwin.
It's very interesting and I like what I've discovered quite a bit.
By the way your cygutils site is very nice and once again, no offense
intended.
/dave
-----Original Message-----
From: Charles Wilson <cwilson@ece.gatech.edu>
To: Dave Arnold <avr_fan@mailandnews.com>
Cc: cygwin@sourceware.cygnus.com <cygwin@sourceware.cygnus.com>
Date: Friday, July 07, 2000 7:35 PM
Subject: Re: missing tsort in textutils.tar.gz
>
>> What about some of the sites like http://cygutils.netpedia.net/ etc? are
>> they trusted/certified too?
>>
>
>Trusted by whom? How *much* trust?
>
>I maintain the cygutils site; everything on that site was built by me
>personally. However, my machine could be infected, or the netpedia host
>could get hacked, or someone could man-in-the-middle as I'm uploading a
>new tarball. Or man-in-the-middle you as you're downloading it. There's
>*ALWAYS* a risk when you download stuff from the internet. For that
>matter, you don't know me from Adam; perhaps I'm a black hat. I say that
>I am not, but why believe me?
>
>As DJ said, sites (and people) *earn* trust. Reputation and past history
>count for far more than other, more technological means of validation
>and authentication. I *could* get a PGP key, get it certified into a
>web-of-trust, sign the packages, etc, etc. I've decided instead to
>provide checksums for the packages themselves using md5sum -- but that
>only protects you against corrupted downloads. Besides, PGP keys &
>webs-of-trust only indicate that someone *else* that you don't know
>verified that I am who I say I am, and that a third person you don't
>know verified them, etc. etc.
>
>You just have to trust me (and netpedia, and their security, and my
>personal virus precautions) that the tarballs themselves don't contain
>(trojans | virii | worms).
>
>You don't have to trust me, or any other site. Just download from
>somewhere else. Again, you don't know me or the proprietor of any
>specific site. For my part, I won't be offended if you choose to go
>elsewhere. :-)
>
>--Chuck
--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com