Boost logo

Boost :

From: Rene Rivera (grafik.list_at_[hidden])
Date: 2004-12-20 21:56:12


Stefan Seefeld wrote:
> Rene Rivera wrote:
>
>> Daryle Walker wrote:
>>
>>> I dislike the idea of executable-wrapped archives in general. You
>>> only have a creator's word that the file isn't actually a Trojan
>>> and/or infected with a virus. (Even a trustworthy creator may get
>>> overridden by a cracker's altered archives.)
>>
>> That is true regardless of type of archive. The source archives are
>> just as susceptible to tampering as the executable ones. And such
>> tampering has occurred in other open source distributed material.
>
> I believe what Daryle is getting at here is the fact that on one
> particular platform it is common practice to execute a downloaded file
> itself (or an attachment, or...) instead of using a trusted local
> executable to inspect the content of a downloaded file.
> It's certainly always a good idea to validate the integrity of an
> unknown file, however it's much less dangerous if such files are
> passive data instead of executable code that could harm the whole machine.

OK, got that.. But my point was that there is no such thing as passive
data when you distribute programs, or fragments thereof. Whether they
are in source form or directly executable you are equally susceptible to
tampering. Therefore the only way to produce a secure product is to
secure the entire process, something I think none of us are willing to
embark on for Boost ;-) So it comes to two other choices: provide for an
independent trustee of the archives (PK or other authorities), or
individual guards against malicious content (firewalls, anti-virus
programs, etc.). Hopefully all Boost users are intelligent enough to
have already done the latter. And perhaps we can do something about the
former.

-- 
-- Grafik - Don't Assume Anything
-- Redshift Software, Inc. - http://redshift-software.com
-- rrivera/acm.org - grafik/redshift-software.com - 102708583/icq

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk