--Signature=_Thu__10_Feb_2005_17_55_28_+0100_T_K+vvQCZfUY3=7o
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

On Thu, 10 Feb 2005 11:45:42 -0500 (EST)
Todd Vierling <tv@duh.org> wrote:

> Ah, but these warnings from pkg_* are real operational warnings that could
> have real runtime impact.  I want to see the operational warnings, because
> they really could cause Bad Things to happen on my system, and I don't want
> them obscured by otherwise useless messages scrolling them right off the top
> of the screen in a flood of logs about otherwise "normal" operations.
> 
> It doesn't matter if we deliberately trojan packages right now just to make
> the security point.  Users still won't read the "Executing ..." messages
> about trojan operations; they will just blissfully ignore the messages
> anyway.  After all, they're "normal" package operations, since they appear
> in just about every package, right?
> 
> Security considerations of @[un]exec should be approached by a more
> security-centered approach, such as digital signatures.

I agree with Todd, those messages should be displayed with a verbose flag not
without it and enabled by default.

--Signature=_Thu__10_Feb_2005_17_55_28_+0100_T_K+vvQCZfUY3=7o
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (NetBSD)

iD8DBQFCC5IAypkLYVDran0RAh1DAKDH3ilA2Vl6q8+q9fbfb/s09XBvAQCglPI5
fNXnNyeQx6ItDLbpaV8Bws4=
=teZC
-----END PGP SIGNATURE-----

--Signature=_Thu__10_Feb_2005_17_55_28_+0100_T_K+vvQCZfUY3=7o--