[FFmpeg-user] What is the difference between versions of ffmpeg?
Reindl Harald
h.reindl at thelounge.net
Sat Oct 4 23:15:53 CEST 2014
Am 04.10.2014 um 22:49 schrieb Phil Rhodes:
>> there is a *large* difference between using a distributions>repo with signed packages or click for every app you want>to use on a different random website clueless about who>built the binary
> I don't think either situation really guarantees anything, does it?
you stopped to read the lines after your quote
your mistake!
a signed package is different from random crap and the difference starts
by click on the download link - you are sure the DNS you are using is
trustable? in case of a signed package even if it is compromised by a
MITM the package manager would refuse to install / update the package
until the MITM was able to steal the signing key of the distribution you
are using
> I'm not in a position to check every line of code in a piece of software before I build it
me too - but i somehow trust well known upstream developers which is not
the case for random binarys where nobody knows if the unmodified
upstream source was used
in case of distribution repos you know at least that they are signed and
changes/updates *likely* reviewed or if something bad happend some news
will tell about
in case of a hacked random server you used to download you know nothing
nor will any press take notice in case of a intrusion - if that happens
for opensource projects with some reputation you will hear baout
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-user/attachments/20141004/4dab6704/attachment.asc>
More information about the ffmpeg-user
mailing list