I think that BOINC project should setup some kind of "quality assurance" of the projects directly sponsored.
this discussion has been had again and again, but for the sake of argument...
How can anyone trust even only to the security? How can I be sure that someone is not running some "troian" in my PC? Or just that any project is not "infected" by someone else?
ok, first thing to make clear is that this is a security issue (in the general sense, not suggesting that BOINC is either secure or insecure).
The simple answer is that you can't be 100% sure, and as always it's up to the user to decide, after all, it's your computer, so you can't expect someone to take the responcibility of deciding for you.
There are various measures in place to prevent "infection" as you call it, a "hacker" couldn't start distributing a virus or something without access to the private key, which is held on a computer not connected to the network (or at least not the Internet)
looking at the bigger picture, nothing is totally secure, security is a trade-off anyway, basically is the cost worth the benifit, and i wouldn't say it is for a system like this, which brings me on to my next point...
BOINC project should rise some kind of "ranking" about some aspects of the project as security and also related directly to the project as publication of the results.
a simple question: how do you propose this, in an acceptable manor, should be implemented?
There are many issues that need to be taken into account; such as who's responcible if a project turns out to be a virus-farm, and what should happen to the responcible party (either a person or an organisation)?
How would that person decide if a project is "trustworthy"?
how should projects that post a "DA approved" note without actual approval, be delt with? (to prevent them doing it)
if your answer is "have a list on the
BOINC site", how should the "list" of "safe" projects be protected from tamper? Who should have authorisation to edit that list? on what basis should people be authorised?
How is the user ment to trust that DA is doing the proper checks, and not just approving everything? this problem just shifts the issue from trusting the projects, to trusting DA, so i see no difference, the question of "how can i trust them" remains.
Taking a step back here for a moment, how do you know the actual BOINC client is "safe" ? how do you know that Rom hasn't added some questionable code into the application?
Also terms like "safe", "secure", and "trustworthy" are subject to opinion, what may be an acceptable risk to Dr. Anderson, might not be to you.
again, you'll never make anything totally secure, it's impossible, it would cost too much (look at the current "war on terror" non-sense)
That would help to rise the popularity of the whole Boinc project.
i doubt it, downloading from the internet is just as risky, if not more so, BOINC has a community, most faceless websites don't
for a more objective view of security in general, covering many other areas as well as computer and national security, i'd encourage anyone to read
Bruce Schneier's Blog,
Crypto-gram newsletters, and
essays.