RE: Binary release announcements?

[Patton, Matthew E., CTR, OSD-PA&E]

Classification: UNCLASSIFIED

I agree 100% with Jim Hyslop's POV.

> > There's also still the whole issue of trust.
> How did I know you were going to bring that up? :=)

Like ANYBODY who looks at the CVS code can trust it! So it's not as bad as
qmail and other hideous projects out there but the code-base is anything but
"reassuring". Hell, I broke the build on v1.11.11 just by not enabling the
pserver capability - that self-same capability that everybody maintains is
"dangerous". Not to mention it's a list mantra that CVS was never designed
with security in mind. And you think it deserves to be trusted in any way
shape or form?

> project I use. In many cases, I don't even care about the 
> build step - all I
> want is the final product. With a pre-built binary, I don't have to
> second-guess myself. 

True enough. It's less about second-guessing on my part, I can't expect my
customers/clients to go have to build their own version from source every
single time. About all I can expect of them is to run 'rpm' or 'up2date'.
They don't NEED to be C programmers or guru's. They just want to get their
work done.

> As you well know, trust is a very personal thing. You, for 
> example, appear
> to trust no-one or nothing on the 'Net. I respect that view, 
> but it is not
> the same as mine. While I believe some caution and skepticism 
> are healthy, I
> can see the desire and need to have some reasonably trusted 
> sources for the
> binaries.

CVS is a gnat in the scheme of things. If pre-built binaries was such a
problem why do zillions of *BSD, Linux, *nix, windoze users do nothing but
install binaries (and MS doesn't even sign their stuff)? The opportunity to
trojan Linux or OpenBSD is FAR more attractive than diddling with a source
control system.

> How many people who download the source tar files actually 
> verify the MD5 checksum?

almost nobody.

> Even if they verify the checksum, a hacker could 
> replace the tar
> file and had modify the web page to show the MD5 checksum of 
> the hacked tarball.

Or anyone running a mirror could likewise play games.