[buug] Gentoo, Bluecurve and Linux too!
Aaron T Porter
atporter at primate.net
Fri Oct 18 11:37:40 PDT 2002
On Fri, Oct 18, 2002 at 11:32:29AM -0700, Patrick Soltani wrote:
> > I don't see the point in compiling by hand if you can have a
> > package do it for you.
>
> How do you know the package give to you by the vendor is clean and not
> tampered with? You are trusting the vendor to have given you a good
> binary, but simply you don't know. With source, you'd know what is
> being compiled and built.
>
> Although I saw a warning from SendMail folks that someone had tampered
> with the sendmail source, however, even this extreme event is caught
> very fast by folks that do diff of the old source and the new ones.
> Guess that's the main benefit of the compiling the source; apart from
> getting high on compiler/linker switches that scroll off of the screen! :-)
Blindly compiling packages is no more secure than using
distribution binaries. You gain no inherent security through the act of
running GCC yourself. Do you read the source before you compile it? Would
you catch a backdoor, buffer overflow, trojan if you did? In the past 6
months we've seen both Sendmail and OpenSSH source distributions
backdoored, in the past tcp_wrappers and others. In fact, the OpenSSH
trojan was a compile time exploit -- building your own SSH was the only
way to get hit by that, a binary package would have been safe!
More information about the buug
mailing list