| |
 |
|
|
Linux Forum Index » Linux - Suse Forum » How secure is openSUSE build service ("1-Click-...
Page 1 of 1
|
| Author |
Message |
| Tom... |
 Posted: Fri Oct 03, 2008 8:02 am |
|
|
|
Guest
|
Hello folks,
I wanted to install rsync with the 1-Click-install function of the openSUSE
website.
Then I realized, that the source is not openSUSE, but
"sergey1369:rsync/openSUSE_11.0"
So my question is: How secure are these sources actually?
As I plan to use the software in an working environment I would not like to
install things from dubious sources.
Can I take the files from there, or should I better take the sources and
compile myself?
Thanks for any info!
Cheers
Tom
--
Help keep the usenet free!
Use and/or support (e.g. by setting up an own server) the nonprofit
open-news-network project:
http://www.open-news-network.org/ |
|
|
| Back to top |
|
| houghi... |
| Posted: Fri Oct 03, 2008 9:09 am |
|
|
|
Guest
|
Tom wrote:
Quote:
Hello folks,
I wanted to install rsync with the 1-Click-install function of the openSUSE
website.
Then I realized, that the source is not openSUSE, but
"sergey1369:rsync/openSUSE_11.0"
Why not use the ones from openSUSE?
http://software.opensuse.org/ymp/openSUSE:11.0/standard/rsync.ymp
Quote: So my question is: How secure are these sources actually?
As (un)safe as any third party. It is technicaly possible to insert
unsecure code into it
Quote: As I plan to use the software in an working environment I would not like to
install things from dubious sources.
Then do not select a dubious source
Quote: Can I take the files from there, or should I better take the sources and
compile myself?
Taking them from there is excatly the same as installing the RPM, unless
you read the source yourself. If you want the most secure thing, go to
as close to the source as possible and take it from there and compile it
from there.
I would just use the official release. I also do trust what is on the
rest of the server, although I know these are not official things.
From a pure teoretical point of view: What you can do is ask for an account
yourself and then see if there is a change done to the sources he uses
and see what the other files are he used.
e.g. I see the following there:
system-zlib.diff for package rsync (Project home:sergey1369:rsync)
--- Makefile.in
+++ Makefile.in
at (no spam) at (no spam) -40,7 +40,8 at (no spam) at (no spam)
DAEMON_OBJ = params.o loadparm.o clientserver.o access.o connection.o
authenticate.o
popt_OBJS=popt/findme.o popt/popt.o popt/poptconfig.o \
popt/popthelp.o popt/poptparse.o
-OBJS=$(OBJS1) $(OBJS2) $(OBJS3) $(DAEMON_OBJ) $(LIBOBJ) $(ZLIBOBJ)
at (no spam) BUILD_POPT at (no spam)
+OBJS=$(OBJS1) $(OBJS2) $(OBJS3) $(DAEMON_OBJ) $(LIBOBJ) at (no spam) BUILD_POPT at (no spam)
+LIBS += -lz
<snip>
There are other files in there as well. However if you use it as update
as well, then you must verify the source (as with each change) yourself.
So in a pure teoretical way, yes it is possible to give you insecure
code. That is always possible for each and every maker of software,
including Novell and yourself. Wether by accident or on purpose is a
different matter.
houghi
--
It's people. Source code is made out of people! They're making our
source out of people. Next thing they'll be breeding us like cattle
for code. You've gotta tell them. You've gotta tell them! |
|
|
| Back to top |
|
| |
|
Page 1 of 1
All times are GMT - 5 Hours
The time now is Thu Nov 20, 2008 4:00 am
|
|