[task #15696] Security warning at the start of Maneage

reproduce-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[task #15696] Security warning at the start of Maneage

From:	Boud Roukema
Subject:	[task #15696] Security warning at the start of Maneage
Date:	Wed, 17 Jun 2020 11:07:41 -0400 (EDT)
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Follow-up Comment #1, task #15696 (project reproduce):

The example of a trojan that you give is a good reminder of what we can do as
counterarguments when we are pressured to install non-free software, or even
worse, non-free binaries, on our computers. As you point out, it's trival to
insert a trojan in code.

Free-licensed code tends to be safer, because it's more likely, though not
guaranteed, that people notice security flaws.

Free-licensed code in a git repository by identified scientists from your own
scientific community tends to be even safer, because the dangerous part of the
code would be traceable in the git history, and if it became clear that the
flaw were deliberate, then that would be quite bad for the author's
reputation. There's also no motivation for scientists to do this, where your
informal scientific reputation is de facto important, even if it doesn't count
in bibliometry.

Regarding the text of the warning, shifting the source URLs to a single file
will be useful in this context - see https://savannah.nongnu.org/task/?15686 .
Once this is done, we should recommend that the user browse through the list
of URLs and make a judgment regarding how much s/he trusts those URLs to
provide secure software.

There are several overlapping en.Wikipedia pages describing various forms of
trust networks for software/computing/internet:

https://en.wikipedia.org/wiki/Trust#Computing

Debian effectively has a trust network in the sense of multiple pipelines for
submitting software updates, a formally developed trust network of Debian
Developers, together with bug reports and so on, plus a dedicated security
team.

This suggests one way of increasing security, which will be easier when 15686
is implemented, which will be to have an option to preferentially use GNU and
Debian sources as much as possible: so rather than strictly upstream sources,
these will be quality controlled versions. 

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/task/?15696>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[task #15696] Security warning at the start of Maneage, Mohammad Akhlaghi, 2020/06/16
- [task #15696] Security warning at the start of Maneage, Boud Roukema <=

Prev by Date: [task #15694] pdflatex: why allow write18 with -shell-escape?
Next by Date: [task #15698] New software (versions)
Previous by thread: [task #15696] Security warning at the start of Maneage
Next by thread: [task #15698] New software (versions)
Index(es):
- Date
- Thread