Bobby Ward wrote:
Hey I've got this great program I've just compiled. Please download it and run it using only my non-existent reputation that it contains no malicious code.
Many people run bulk builds of entire pkgsrc tree. Installing malicious apache is MUCH more dangerous than running boost tests yet some people use those binaries on their own risk. I think we can make runnning tests a safe process. 1. Compile farms should be run by people with a good reputation. 2. Upload of binaries should be secure. 3. Binaries should be PGP signed and have md5 checksums. 4. Boost script should check that binaries are signed by a valid compile farm owner before running them. 5. Script may chroot/jail the test framework on OSes where these features are available (well, it doesn't completely protect). BTW, how do you know that some developer submitted a code/patch with buffer overflow by an accident. He/she might be doing a preparion work to attack a next version of OpenOffice. This problem is more subtle and dangerous than "someone, somewhere ran malicious boost tests". -- Alexander Nasonov http://nasonov.blogspot.com Only the sinner has the right to preach. -- Christopher Morley -- This quote is generated by: /usr/pkg/bin/curl -L http://tinyurl.com/veusy \ | sed -e 's/^document\.write(.//' -e 's/.);$/ --/' \ -e 's/<[^>]*>//g' -e 's/^More quotes from //' \ | fmt | tee ~/.signature-quote