info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Binary release announcements?


From: Jim.Hyslop
Subject: RE: Binary release announcements?
Date: Wed, 18 Feb 2004 10:21:41 -0500

Greg A. Woods wrote:
> [ On Tuesday, February 17, 2004 at 08:36:43 (+0000), Andy 
> Jones wrote: ]
> > Subject: Re: Binary release announcements?
> >
> > For my own part, there are some programs I am comfortable compiling
> > and some I most certainly am not.  It so happens that CVS 
> falls in the
> > former category (now), but I can certainly sympathise with 
> people who
> > put it in the latter.
> 
> I think you've got this all wrong.
No, I don't think he does (more after the next section).

> People who don't want, or can't, compile their own programs should be
> looking to their software integration "vendor" for such support.  If
> those people don't already have someone doing their software 
> integration
> for them then it's long past time and they should think 
> seriously about
> finding someone they can trust to help them out.
>
> There's also still the whole issue of trust.
How did I know you were going to bring that up? :=)

A perfect case in point is the recent thread about the Windows build being
broken - again. I've been through this many times with various open source
projects, and trying to get the software to build just is not worth the
hassle involved if there's a pre-built binary available from a site I trust
(there's that word again).

Even when I can build from source, I always have a nagging doubt - what if
I've missed some critical configuration option that hasn't been documented,
or is documented in a very obscure place? I don't want to have to read
through dozens of pages of documentation. I don't want to have to be
intimately familiar with each and every build process for each open-source
project I use. In many cases, I don't even care about the build step - all I
want is the final product. With a pre-built binary, I don't have to
second-guess myself. 

Again, you need to look at this from the point of view of the people *using*
the software. You have to stop thinking like the hard-core UNIX programmer
you are, and think like your users.

> As I understand it the
> folks producing the source release don't also produce all of the
> binaries, and I'm not sure how much they trust those who do 
> produce the
> binaries, nor if they've ever declared the level of their trust.
As you well know, trust is a very personal thing. You, for example, appear
to trust no-one or nothing on the 'Net. I respect that view, but it is not
the same as mine. While I believe some caution and skepticism are healthy, I
can see the desire and need to have some reasonably trusted sources for the
binaries.

I trust that the maintainers of the cvshome web site will not knowingly do
anything malicious, and will act quickly to remove anything from the web
site that they learn is malicious.

If someone provides defective binaries (where "defective" could include bad
builds, corrupted binaries, binaries based on unofficial sources [ranging
from minor, innocuous changes to back doors], files infected with malware,
etc.), I would presume the problems will become evident fairly quickly, and
the person who provided the bad binaries would at the least be chastised, or
even possibly be blacklisted from providing binaries to the cvshome web
site. If or when anything like that happens, then I will have to re-evaluate
my level of trust in the binaries available at cvshome.

> At
> least with the source you can read it and you can compare it with
> previous versions that you've come to trust (especially in this case
> where you can use the tool in question to do those comparisons).
Sure, having the source code available is great - but how many of the people
who use CVS have actually *looked* at that source code? Even those who build
from source probably have not given the source code more than a cursory
glance.

How many people who download the source tar files actually verify the MD5
checksum?  Even if they verify the checksum, a hacker could replace the tar
file and had modify the web page to show the MD5 checksum of the hacked
tarball. How many of people who build from source double-check that the
source files are actually the same as the ones that were placed on the web
site? How much trust do you put in the source code? Again, that's a personal
decision.

And then there's the question of competence. I know we're talking
specifically about CVS here, which is not a hugely complex program, but your
statements above are very general. There are certain programs I simply am
not qualified to judge whether or not the source code is correct - GPG, for
example. I have no choice but to trust that the source code is correct.
There's no point in me even looking at the code. So, if I'm not even going
to look at the code, why should I have to compile it from source if there's
a pre-built binary available?

-- 
Jim Hyslop 
Senior Software Designer 
Leitch Technology International Inc. (<http://www.leitch.com/>) 
Columnist, C/C++ Users Journal (<http://www.cuj.com/experts>) 

p.s. Greg, my apologies for not responding to your personal email. I'm not
ignoring you. Really!




reply via email to

[Prev in Thread] Current Thread [Next in Thread]