____/ birre on Friday 24 August 2007 14:16 : \____
> On 2007-08-24 14:04, Roy Schestowitz wrote:
>> ____/ Krzysztof Lubanski on Friday 24 August 2007 12:40 : \____
>>
>>> On Fri, 24 Aug 2007 12:33:12 +0100, Roy Schestowitz wrote:
>>>
>>>> ____/ birre on Friday 24 August 2007 12:03 : \____
>>>>> So,,,, how do we verify and validate this file before we click on it.
>>>>> Do we really need the same mess as in windows where the data in a
>>>>> package is verified by a program in the package itself?
>>>>>
>>>>> It sucks.
>>>> Maybe these files can be centralised in a trusted universal repository.
>>> Isn't it against free software concepts? One "centralised" and "trusted"
>>> source of binary, executable packages - sounds like a thing to abuse. GNU/
>>> Linux world is more or less distributed right now and I think that's
>>> good, despite all shortcomings.
>>
>> True, pardon a poor choice of words. I added the world "universal" just
>> seconds before posting, but I shouldn't have. As for the packaging method,
>> it would not be harmful to have one method that encompasses (not necessarily
>> replaces) all others. Think of Linux media players that successfully combine
>> the best all many worlds thanks to reuse.
>>
>
> SO, to save our ass from trojans and rootkits we still need a package manager
> already installed in the system that check the package before installing it.
> And that makes me think a self extracting package sucks.
> Just look at those *.bin and .run files, that can do anything with your box
> when you run them.
Yes, even some Samsung and ATI/NVIDIA drivers did damage with permissions. Some
developers do it accidentally because they are not familiar with the system.
> It must be some reason the old shar program is almost forgotten, as it did
> just this thing, but nobody trusted those shell scripts enough to run them,
> unless they where signed with a trusted key.
Who will you trust. Microsoft was accused of playing 'software police' a couple
of weeks ago (in Australia). They disabled a perfectly legitimate program.
> What is the problem with apt-get and rpm based things like YaST ?
> I think they are far more simple to use then trying to find software for
> windows, and find out to late it made a bot of the machine.
>
> We already have the rpm-keys for all software contributors we trust.
> Other software must be a problem to install, and require manual work,
> or we will lose the machine to easy.
>
>
> /bb
--
~~ Best of wishes
Roy S. Schestowitz | "These characters were randomly picked"
http://Schestowitz.com | Free as in Free Beer | PGP-Key: 0x74572E8E
Load average (/proc/loadavg): 0.71 0.82 1.27 2/129 23139
http://iuron.com - semantic search engine project initiative
|
|