Re: Hot Java is here! And it *rocks*

Sarr Blumson (sarr@citi.umich.edu)
Tue, 4 Apr 1995 11:11:23 +0500


In message <9504030915.AA12306@ouse.cl.cam.ac.uk>you write:
>>
>> Others have mentioned the safety issue, but let me put it a little more
>> strongly. I will NEVER EVER run a browser that depends on (no, is
>> willing to) executing binaries downloaded from a server, at least on
>> any currently extant hardware architecture. Nor will I trust a machine
>> where somebody has.
>
>So you will NEVER download packages from the net, compile them and install
>them? You rely on your native OS and its utilities completely. No-one
>checks source code (e.g. Gnu <fill-in-here>, XV etc etc) for "rm -r *".
>Just because you compile them doesn't make them safe. The same amount
>of trust applies.

Of course I do those things. Sometimes. When I do I think carefully
about where I'm getting them from, look at the source, and run them for
a while under an account I keep for that purpose with no access to
anything (the reason why I believe that even single user machines need
multiuser security, but that's another argument). People actually do
this. I recall a discussion on this very list a few months ago about a
package who's installation script downloaded another script and
executed it without warning. People noticed.

If I were a using a browser that downloaded binary applets on a regular
basis, even that level of care would become unmanageable. Even
assuming that the browser warned me that it was happening.

--------
Sarr Blumson sarr@umich.edu
voice: +1 313 764 0253 FAX: +1 313 763 4434
CITI, University of Michigan http://www.citi.umich.edu:80/users/sarr
/
519 W William, Ann Arbor, MI 48103-4943