[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Mldonkey-users] MLDonkey & Debian ( Trying to do an Official Packag
|
From: |
b8_bavard |
|
Subject: |
Re: [Mldonkey-users] MLDonkey & Debian ( Trying to do an Official Package ) |
|
Date: |
Thu, 29 May 2003 15:14:02 +0200 |
> This is still not as useless as you say. Especially the fact that it is
> written in Ocaml makes it look a lot more suspect to me:
>
> 1. I count Ocaml to the more unknown programming languages which
> implicitly makes it more insecure because there are not many Ocaml
> programs widely in use, so it is less tested in a real field. Regardless
> of how convinced its authors may be of its security. there may be a lot
> of compiler errors in there, which could produce unsecure binaries.
As I said, every byte received from the network in mldonkey is
translated to a nice Ocaml structure. Ocaml does checks on all string
accesses, to avoid overflows. Of course, there are not many programs
in Ocaml, so some bugs are still there somewhere, but on the other
hand, the Ocaml runtime is pretty small, and it can easily be verified
that these checks are correctly done.
> 2. Of course is mldonkey open-source, but another strong fact is that
> there are not many Ocaml programmers out there (including me), who could
> professionally audit your code. I'm a nice C coder, though, and i audit
> most of the other daemons, i run on my machine. With mldonkey, i have no
> clue what it really does, since i cannot understand a single line of its
> code. It's like "no sweat! we tell you everything about our program, but
> esperanto is our mother-tongue."
Yes, but if you have read slashdot last week, you should now know more
about Ocaml :) Or at least, you should know that you should learn it :)
> Of course these are some very paranoid observations, but what other type
> of people consider to run their programs in a chroot jail? ;)
My point is just that a debian package is probably not useful for such
people, and its maintainer should focus on making it more friendly,
instead of focusing on security. Maybe I'm a bit too naive, but I
don't like the mis-trust and the associated security campaigns of the
modern world, I prefer thinking that we are all friends (anyway, there
is nothing to be stolen on my computer, except the photos of my last
holidays :)
- b8_bavard (mldonkey)
--------------------------------------
Homepage: http://www.mldonkey.net/
--------------------------------------
- [Mldonkey-users] MLDonkey & Debian ( Trying to do an Official Package ), Sylvain LE GALL, 2003/05/28
- Re: [Mldonkey-users] MLDonkey & Debian ( Trying to do an Official Package ), b8_bavard, 2003/05/29
- Re: [Mldonkey-users] MLDonkey & Debian ( Trying to do an Official Package ), Simon Peter, 2003/05/29
- Re: [Mldonkey-users] MLDonkey & Debian ( Trying to do an Official Package ), Sylvain LE GALL, 2003/05/29
- Re: [Mldonkey-users] MLDonkey & Debian ( Trying to do an Official Package ), Udi Meiri, 2003/05/30
- Re: [Mldonkey-users] MLDonkey & Debian ( Trying to do an Official Package ), Simon Peter, 2003/05/31
- Re: [Mldonkey-users] MLDonkey & Debian ( Trying to do an Official Package ), Sylvain LE GALL, 2003/05/29
Re: [Mldonkey-users] MLDonkey & Debian ( Trying to do an Official Package ), Sylvain LE GALL, 2003/05/29