[OS X TeX] [OT] All about P2P (was: MacTeX-2008 Status)

Adam R. Maxwell amaxwell at mac.com
Thu Sep 4 16:41:53 CEST 2008


On Sep 4, 2008, at 3:38 AM, Thomas Bohn wrote:

> On 4 Sep 2008, at 05:09, Adam R. Maxwell wrote:
>
>> Requesting data from an http/ftp/nntp server is a bit different  
>> from opening up your filesystem to people all over the world,
>
> You don't. At least not with BitTorrent, this protocol gives access  
> to the file(s) in question nothing else. It is to my knowledge not  
> possible to access other files, except those described in the  
> BitTorrent file.

Be that as it may, you are explicitly allowing traffic through your  
firewall in order for other persons to access some portion of your  
computer, right?

>> hoping the program doesn't have a buffer overflow or a back door  
>> that gives someone full access (assuming it was configured securely  
>> in the first place).
>
> This can be a problem if someone is spreading a manipulated  
> BitTorrent file and this can be as dangerous as open a manipulated  
> JPEG in a browser. But who runs such a software or any software for  
> that matter as root or admin?

I'd guess that most Mac users are running under an admin account all  
the time; I certainly run as admin at home.  Many of us are probably  
conditioned to enter our password every time it's requested, also...

> I think you get the "old" way of P2P like Napster and Gnutella  
> confused with BitTorrent.

My point is this: if it is possible to misconfigure the software /or/  
it contains an exploitable bug, your risk increases.  Google [1]  
indicates that such vulnerabilities have been found in bittorrent  
software [2].  The user (or owner of the computer/data) needs to  
decide if that risk is acceptable.

>> In the present case of MacTeX, it not necessary to use p2p, so  
>> there's no justification for it.
>
> P2P can help to reduce the load of the servers and get MacTeX faster  
> to the people who wants it. You actually can distribute it to the  
> public and to the mirrors at the same time.

Yes, it has some benefits, and can be a useful tool.  If it's worth  
the risk to you, by all means use it; it may not be acceptable for  
everyone on this list, though.

-- 
Adam

[1] http://www.google.com/search?ie=utf8&oe=utf8&q=bittorrent+vulnerability
[2] http://cyberinsecure.com/torrent-quietly-patched-an-old-zero-day-vulnerability/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2415 bytes
Desc: not available
URL: <http://tug.org/pipermail/macostex-archives/attachments/20080904/f3c795a9/attachment.bin>


More information about the macostex-archives mailing list