Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!zaphod.mps.ohio-state.edu!usc!rutgers!cbmvax!andy From: andy@cbmvax.commodore.com (Andy Finkel) Newsgroups: comp.sys.amiga Subject: Re: Self Extracting Archives Message-ID: <10102@cbmvax.commodore.com> Date: 10 Mar 90 21:08:28 GMT References: <55.25f441b5@uoft02.utoledo.edu> <195@sai.UUCP> <2675@leah.Albany.Edu> <79.25f87ef0@uoft02.utoledo.edu> Reply-To: andy@cbmvax (Andy Finkel) Distribution: na Organization: Commodore, West Chester, PA Lines: 49 In article <79.25f87ef0@uoft02.utoledo.edu> grx1042@uoft02.utoledo.edu (Steve Snodgrass) writes: >In article <2675@leah.Albany.Edu>, wfh58@leah.Albany.Edu (William F. Hammond) writes: > >> The only way that I would execute a self-extracting archive is if >I'll try not to be insulting, but this is a very stupid attitude. Has it >occured to you that there is basically no difference between executing a self >extracting archive, and extracting some stuff from an archive then executing >that? Either way, you run the same risk that some jerk who is out to cause >trouble created the archive. The archive could even contain fake documentation >and such. In short, there is no secuirty advantage to non-self-extracting >archives. The thing I don't like about self extracting archives is that it reduces the careful person to the same level as a trusting person. When I get some PD software from an unknown source, I run it through a couple tests after unpacking it, and *before* I ever run it. (I unpack with an archiver I've used for years and trust). Before the new code is ever executed on my system I run a couple strings type programs on it that will pick up ASCII and simple encryptions, and a disassembler. (I don't try to actually decrypt the strings, just detect the presence, which is a whole lot easier) If a program doesn't pass the simple tests, or has large sections of binary that doesn't appear to be 68K code or strings, then I don't run it. A self unpacking achiver removes this option. Because unless I write special strings tools to work on the compressed format, and a special disassembler, I've got no choice but to execute the program. (if I went to the trouble of writing a special strings program I might as well finish the job and write the unpacker! :-) ) >/\=======================================================================/\ >\/ Reality: Steve Snodgrass |"Volts embodied intent, and Amps were the \/ andy -- andy finkel {uunet|rutgers|amiga}!cbmvax!andy Commodore-Amiga, Inc. "Not everything worth doing is worth doing well." Any expressed opinions are mine; but feel free to share. I disclaim all responsibilities, all shapes, all sizes, all colors.