From: Stefan Seefeld (seefeld_at_[hidden])
Date: 2004-12-20 22:13:09
Rene Rivera wrote:
> OK, got that.. But my point was that there is no such thing as passive
> data when you distribute programs, or fragments thereof.
When I download a tar.bz file there isn't *anything* anybody can do with
that file. It's simply not executable. Setting the executable bit will
just cause the system to throw up its hands with an error message.
Providing the 'convenience' of self-executability is just a huge dis-service
to all potential recipients, at least when security is an issue.
And, as far as tampering goes, what's wrong with checksums ? All you are
interested in is to know that the file you downloaded is identical to
the one your trusted peer packaged for you.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk