Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!ames!pacbell!att!mcdchg!mcdphx!estinc!fnf
From: fnf@estinc.UUCP (Fred Fish)
Newsgroups: comp.sys.amiga
Subject: Re: Self Extracting Archives
Message-ID: <270@estinc.UUCP>
Date: 16 Mar 90 16:59:07 GMT
References: <55.25f441b5@uoft02.utoledo.edu> <195@sai.UUCP> <2675@leah.Albany.Edu> <79.25f87ef0@uoft02.utoledo.edu> <10102@cbmvax.commodore.com> <90.25fc5fd6@uoft02.utoledo.edu> <492d7755.1a5bf@moth.engin.umich.edu> <104.25fdcdd4@uoft02.utoledo.edu>
Reply-To: fnf@estinc.UUCP (Fred Fish)
Distribution: na
Organization: Enhanced Software Technologies, Tempe, AZ
Lines: 39

In article <104.25fdcdd4@uoft02.utoledo.edu> grx1042@uoft02.utoledo.edu (Steve Snodgrass) writes:
>Anyone who goes to *THAT* much trouble could just as easily create an
>executable file that looked completely innocuous and put it in a zoo archive.
>The point here is that any argument applied against a self-extracting archive
>can also be applied against an executable inside a zoo file.

I would have stayed out of this discussion except for the fact that I find
SXA's particularly distasteful.  Anyway, the above statement is clearly false
because there exists a set of arguments against SXA's that cannot be applied
against executables inside a normal archive for the simple reason that they
are not applicable.  For example:

	1.	There is no simple way to get a listing of the contents
		of an SXA.  There is a simple way for non-SXA's.

	2.	The extraction code for an SXA may do bad things to your
		system.  There is no extraction code inside a non-SXA, it
		is in the "trusted" archive program instead.

	3.	SXA's are machine dependent and can only be run/used/extracted
		on the target machine for which they were built unless a
		separate archiver exists that supports both SXA's and
		non-SXA's.  A non-SXA can be unpacked and examined on any
		machine for which the required archiver is available.

	(there are more, which have already been stated by others against
	 SXA's so I won't continue the list.  Only one argument is sufficient
	 to prove the statement false anyway.		

>I'm not debating the existence of trojans/viruses.  However, it's silly to
>label self-extracting archives as inherently more dangerous than any other
>archive you might come across.

Apparently there are a lot of people that would disagree with you here.

-Fred
-- 
# Fred Fish, 1835 E. Belmont Drive, Tempe, AZ 85284,  USA
# 1-602-491-0048           asuvax!{nud,mcdphx}!estinc!fnf