[mosh-devel] Mosh OS X package build on Travis
john hood
cgull at glup.org
Mon Oct 31 11:17:53 EDT 2016
On 10/31/16 6:18 AM, John Hawkinson wrote:
> I think we should not lose sight of the fact that mosh is
> security-sensitive software in a category unlike many other
> software packages, and thus it is worth some inconvenience to
> the maintainers that you might not accept in a less sensitive
> tool.
>
> Another question: would we rather we be compromised at the same time
> when Github or Travis is compromised, or would we rather be
> compromised independently at a different time? Feel free to substitute
> "if" for "when" if it makes you feel better.
A question in reply: would we be likelier to *discover* that compromise
on a personal, daily-driver OS X install, or on a cloud service provider
with wide visibility (and exposure)? I'm dubious of my ability to
discover a compromise on my personal machines, and I'd of course like to
keep them personal. :)
Again, the idea of, say, a project-owned build VM comes up. Apple's OS
X licensing would seem to restrict this to an Apple developer and an OS
X host, though, which makes this more difficult.
regards,
--jh
More information about the mosh-devel
mailing list