So if I build Gnu Linear Programming Package (aka GLPK) how do you prevent me
from adding a Trojan, building GLPK, restoring the original source and building
an IPS pkg? Is there a checksum generated by the compiler from the source file
that is recorded in the binary?
If not, I should like an explanation of how it meets the "On Trusting Trust"
issue. This has long been a major concern, but I have been blindly trusting the
OI repository.
I can't resolve the backdoored distro problem, but I'm not concerned about
that. I am concerned about the vetting process for IPS pkgs for 3rd party stuff
produced by 3rd parties, e.g. Reg"s version of libxyz.
Reg
On Monday, August 18, 2025 at 03:36:05 PM CDT, Till Wegmüller
<[email protected]> wrote:
Hi Reg
We do handle Maintenance and and security updates for people.
Technically you can have multiple repos linked to your system but in
practice it's only ever the main openindiana.org one. And packages from
there are always source built on the OpenIndiana build server and only
from there. In the Future we would also like to provide ephemeral build
zones that are spawned from a template and then destroyed. So it gets
really hard to backdoor those machines like in the XZ case. Other ideas
to make that spawning process happen are heartly welcome. But in short,
we do not accept binary packages only source and recipes and then build
them from a decently secure system for people.
Hope this helps
-Till
On 18.08.25 21:44, Reginald Beardsley via openindiana-discuss wrote:
> I'm happy to build packages for things I use that don't already have pkgs.
> However, it raises the issue of "On Trusting Trust". I've generally not been
> enthusiastic about binary packages because it's so easy to Trojan or backdoor
> one.
> How does OI deal with that? This is why I have, until very recently, built
> from source. Linux made doing that fairly absurd with all the dependencies
> and as I was just using Linux on a test system for email I started slacking.
> Time to stop.
> As an incentive, how about a lottery? People who build things for their own
> use and supply an IPS pkg get a ticket in an annual lottery for each pkg they
> contribute and the prize is of the order of 1000 Euros.
> Have Fun!Reg
> _______________________________________________
> openindiana-discuss mailing list
> [email protected]
> https://openindiana.org/mailman/listinfo/openindiana-discuss
_______________________________________________
openindiana-discuss mailing list
[email protected]
https://openindiana.org/mailman/listinfo/openindiana-discuss
_______________________________________________
openindiana-discuss mailing list
[email protected]
https://openindiana.org/mailman/listinfo/openindiana-discuss
