mldonkey-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Mldonkey-users] MLDonkey & Debian ( Trying to do an Official Packag

From: Simon Peter
Subject: Re: [Mldonkey-users] MLDonkey & Debian ( Trying to do an Official Package )
Date: Thu, 29 May 2003 13:04:58 +0200 
> >  * trying to build a real chroot for mldonkey ( maybe using
> >   MLDONKEY_CHROOT, but it seems a little broken )
> As I have repeated a lot, this is really the most useless part. You
> have access to the code, so no troyan. It's written in Ocaml, so no
> buffer overflows. What are you afraid of ?

This is still not as useless as you say. Especially the fact that it is
written in Ocaml makes it look a lot more suspect to me:

1. I count Ocaml to the more unknown programming languages which
implicitly makes it more insecure because there are not many Ocaml
programs widely in use, so it is less tested in a real field. Regardless
of how convinced its authors may be of its security. there may be a lot
of compiler errors in there, which could produce unsecure binaries.

2. Of course is mldonkey open-source, but another strong fact is that
there are not many Ocaml programmers out there (including me), who could
professionally audit your code. I'm a nice C coder, though, and i audit
most of the other daemons, i run on my machine. With mldonkey, i have no
clue what it really does, since i cannot understand a single line of its
code. It's like "no sweat! we tell you everything about our program, but
esperanto is our mother-tongue."

Of course these are some very paranoid observations, but what other type
of people consider to run their programs in a chroot jail? ;)

Simon
reply via email to
[Prev in Thread] Current Thread [Next in Thread]