on Tue, Nov 07, 2000 at 09:06:32PM -0800, Vijay Prabakaran ([EMAIL PROTECTED]) wrote: > Hi, > > I have been following the "horrifying suggestion" thread on > the lists and what you say about the go-gnome script makes perfectly > good sense. Has anyone talked to Helixcode about the problem?
I copied Ethan's comments to the site and several specific contacts there, some time last week. No response. > In most distributions all the script does is download the installer > and in Debian it just adds an extra line in sources file. Telling the > user to edit sources file and add the extra line and then doing and > apt-get seems to me to be as simple as what they are asking the user > to do. apt-get does provide some (largely weak) protections -- you are assuming the site is trusted. debsums also helps you, though only if they're accurate in the first place. Debian packages aren't, AFAIK, signed, though package maintainers should keep their signatures current (I don't quite understand what this accomplishes, and would appreciate an explanation). > There is no percentage in using the go-gnome script at all > apart from giving misconceptions to the user about user friendliness. > And now there are so many sites giving installation scripts to be > executed as root user. Eazel makes you download an installer script > for rpm based systems for installing nautilus PR2 and there are many > more companies like that. Can anything be done to somehow make these > people understand and use some security measures in the process of > installing software. The lone advantage here is that if there are problems with the script, as it comes from a single, known, source, it can be checked, and reported, if there are any problems. There's an aptness to the use of a penguin as the GNU/Linux mascot, regarding how penguins enter the water. They crowd the edge of a floe and jostle. First bird in the water gets to find out if there's a leopard seal (mortal enemy) below. Alls-well? The flock goes in. If there are blatantly apparent problems with someone's root-access-required script, you can prety much bet you'll hear about it. In short order. The problem is the non-blatant problems. I much prefer things to blow up in my face rather than smolder quietly for days or weeks -- it's easier to figure out something's going wrong, and likely, what caused it. -- Karsten M. Self <kmself@ix.netcom.com> http://www.netcom.com/~kmself Evangelist, Zelerate, Inc. http://www.zelerate.org What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org
pgp1MLfHqPywW.pgp
Description: PGP signature
