Porteus

Hi folks, i have minor oh, important question........

at the first i want say i dont speak about original porteus files and modules but about i484, x86_64 item in forum where can i download packages or any user.

i see that some peoples put here precompiled packages, and mirror sites i know that any user can download it and try, use it but are this packages trusted? some people are from porteus and are ok but have i can know this packages are clean?

there are not md5, sha256 checksums or truested sources

i vote for publish original binary source files from witch this packages are created

like when i want publish etc. text editor GEANY package then publish too
original binary what i using
http://slackware.uk/salix/x86_64/14.2/s ... 64-1gv.txz
and checksum too
http://slackware.uk/salix/x86_64/14.2/s ... 64-1gv.md5

what do you think about this?

Normally do this. Please see as example: http://forum.porteus.org/viewtopic.php? ... 10e#p51557

Hi luko

First of all, i understand your concerns.

But the truth is, as long as one does not read the source code
-- and understand what this code does --
one has to trust the maintainer, no matter where you got the package from.

If you install a linux distribution, containing hundreds of packages...you have to trust.

Otherwise install wireshark on a 2nd PC and observe from the Outside what your PC is doing.
(sending / receiving)

And if you don't trust me, i won't trust you either..

donald wrote:If you install a linux distribution, containing hundreds of packages...you have to trust.

http://blog.linuxmint.com/?p=2994

^
is known....

Does not change the statement,...proves only that trust can also be abused.

donald wrote:^
is known....

Does not change the statement,...proves only that trust can also be abused.

So you just carry on without an official sha256 checksum even when trust is proven to be broken.

^
If I (would) package some malware, I would surely also provide the appropriate (whichever) checksum.
lol

compile a source twice, you will get two different checksums
Debian is on the way to establish reproducible builds. That would be a step forward.

EDIT

One can take some precautions.

a) get your packages from official repo

b) compile by yourself
(Not a big advantage if you did not understand the source and also built a compiler yourself)

c) download from people which have a good reputation (to loose).

donald wrote:^
If I (would) package some malware, I would surely also provide the appropriate (whichever) checksum.
lol

Sites like Mint now release the checksums off site across multiple places for people to cross reference , so the hacker would have to instantly hack each mirror at release for all the hacked copys to match.

Well, i'm totally relaxed
There are a lot of good, reliable people out there which do really know what goes on
and if a software would behave suspicious it would be observed and reported very quickly.

Software has and will always have security gaps.
To use these is much "quieter" and more discreet.
You know the motto of "Backtrack"?:
-- The quieter you are the more you hear --

Imho, It is much more likely that users endanger themselves by doing "stupid" things.
...Adobe flash anyone?....

You see, in regards to linux software used on Home PCs I am in no way worried.

donald wrote: Imho, It is much more likely that users endanger themselves by doing "stupid" things.
...Adobe flash anyone?....

Well there's one thing we both agree on.