Re: [leganii@surfree.com: Re: FWD: C-Kermit & potato]

[Paul Flint <flint@flint.com>]

> Another bad scenario: Malicious hacker changes the software to cause damage
> or offense and redistributes it all over the world.  It still has the
> Columbia University name on it.  Columbia University is sued and/or its
> reputation suffers; I lose my job for releasing software with a license
> that allows this to happen.
> 
> Vaidhyanathan Mayilrangam <vaidhy@loonys.net> wrote on Thu, 6 Jan 2000:
> > The kermit debs are now available at
> > http://master.debian.org/~vaidhy/kermit.  The ckermit directory has the
> > full featured, non-free ckermit and gkermit has the GPL'd gkermit.
> >
> > This is a temporary location for the kermit packages. They will be moved 
> > over to woody once woody opens as unstable.
> >
> As of just now (14 January 2000, 14:00 EST), the Debian site:
> 
>   http://packages.debian.org/ckermit
> 
> still has:
> 
>   Release Quality Package (size)
>     stable 100% ckermit 193-3   (716.7k) 
> 	 A serial and network communications package.
> 
>    unstable 100% ckermit 195-1   (958.2k) 
> 	 A serial and network communications package.
> 
Dear Frank and the Debian Collective,

I commend Mr. da Cruz on his paranoia...scared me to death.

Regarding this security issue, do you self-check sum the code prior to
execution?  Would this be convenient, possible, or merely a pain in the
ass?  Admittedly, if you could make the lock, someone else could make the
key.  Either you could do this at make time (or even run time) or Debian
could do it in the apt-get process (this particular suggestion designed
to piss of Matt Zimmerman).

Thank you again Frank and...


Kindest Regards,

Paul Flint