From: Stefan Seefeld (seefeld_at_[hidden])
Date: 2004-12-20 21:19:00
Rene Rivera wrote:
> Daryle Walker wrote:
>> I dislike the idea of executable-wrapped archives in general. You
>> only have a creator's word that the file isn't actually a Trojan
>> and/or infected with a virus. (Even a trustworthy creator may get
>> overridden by a cracker's altered archives.)
> That is true regardless of type of archive. The source archives are just
> as susceptible to tampering as the executable ones. And such tampering
> has occurred in other open source distributed material.
I believe what Daryle is getting at here is the fact that on one
particular platform it is common practice to execute a downloaded file
itself (or an attachment, or...) instead of using a trusted local
executable to inspect the content of a downloaded file.
It's certainly always a good idea to validate the integrity of an
unknown file, however it's much less dangerous if such files are
passive data instead of executable code that could harm the whole machine.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk