[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proxy support in apache



On Mon, 11 Aug 1997, Amos Shapira wrote:

> |you can TRUST a binary you compiled yourself from original sources better.
> 
> The fact that YOU trust such privatly-compiled binaries just because
> you personally typed "make" doesn't mean anything.  People trust
> source code when they read it and look for trojan hourses and security
> bugs - did you ever look the Apache source for such holes?  If not
> then what makes you more comfortable with your own binary?

because I know the sources came from the original site and not from
redhat's "contrib" directory, to which people have already uploaded
bad binaries in the past (afaik, they found them all, they check more
closely now) or even altered sources before uploading (not all for
malicious reasons!)

I also trust the home-made vinegrette on my salad, and anyway I make mine
with lemon juice instead on vineger. so sue me.

> |also Apache has many more options at compile time other than the proxy
> |support...
> 
> That's a valid reason.  Do any of the options you choose differ
> significantly from the ones used to build the "official" RPM?  Can't
> you change them in the config file?

no, modules for authentication or status report. I want a referers log and
it's not default, same goes to the /status reporter. last but not least is
the ability to compile SSL add-ons.

> 
> Ira, don't get me wrong, I don't mind you doing anything with your own
> computer, but I don't like to see the spread of what are in my view
> false practices in the Linux community.  If you give me a good reason
> to justify your recommandation then I'll shut up about this.


like I said, a new NCFTP I would probably trust, but a daemon that runs on
my server, which is open for hits from the net (and maybe runs as root) is
a reason to recompile from the original site's sources. I gave ssh, apache
and squid as examples because they are popular apps, and the RPM contrib
directories might have them with trojans for all I know. call me a
paranoid.


   -------------------------------------------------------------
   Ira Abramov          <ira@scso.com>        Scalable Solutions
   POBox 3600, Jerusalem 91035, Israel       Tel (972)2-642-6822
   http://www.scso.com/~ira   Check out: http://www.linux.org.il


Follow-Ups: References: