Thanks for your help. I am convinced, however I am not the one that needs convincing. Do you have any idea if other companies trust the binary builds? (Is this 'paranoia' unique to my company?)
So I have all my ducks in a row, I have been looking into the src and binary distros a bit further, I noticed the tomcat-native library is included as source in the binary distro as a tar.gz file. Is this a necessary component of Tomcat? What is it for? The only platform specific files I found in the binary distro were the scripts and the Windows startup executable. Mark -----Original Message----- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 23, 2006 11:09 AM To: Tomcat Developers List Subject: Re: Binary build procedures The release manager (RM) - creates a binary from his copy of source. - Generates a checksum key to allow validation of no tampering of the RM's build. The RM could insert malicious code into the build. If that were to happen - the RM would probably be kicked out of the project in a hurry. Its not valid to trust a source release download either. Its easy to tamper with the source just as it is the binary. But having the source at this point does allow for easy audits. If you are really paranoid - build your binary from the appropriate TAG would be safest since you are getting the original source - not repackaged versions. -Tim Mark Claassen wrote: > My boss has implemented some new procedures with regard to open source > projects. He believes the source distributions are trustworthy, but > he is not sure if he trusts the binary distributions. I think the > reasoning is that he is uncertain if the binary distributions are > controlled as well as the source ones are. And if they are not, > someone could inject some malicious code to expose customer data or something. > > Can someone give me a brief explanation on how the binary > distributions are created for 5.5? Are the binary distributions > created automatically from the repository, leaving no chance for nefarious tampering? > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
