[buug] Gentoo, Bluecurve and Linux too!

Jeremy Brand, B.S. jeremy at nirvani.net
Fri Oct 18 11:49:02 PDT 2002


Thus spake Patrick Soltani:

> > I don't see the point in compiling by hand if you can have a
> > package do
> > it for you.
> > _______________________________________________
> >
>
> How do you know the package give to you by the vendor is clean and not
> tampered with? You are trusting the vendor to have given you a good
> binary, but simply you don't know. With source, you'd know what is being
> compiled and built.

Do you really know?  Most linux vendors ship the source for the binaries
they compile.  Yes, it is true they could do it differently, but does
anyone have the time to read the source for binutils every time they
compile, let alone sendmail!

How, or why would you trust Gentoo's source to not be trojened.  I don't
think any legitimate vendor would tamper with much, but if you do a build
of Gentoo from a server that has been tampered with, how would you know
unless you _READ_ (and I don't only mean read, but also mean KNOW) the
source wasn't tampered with either.

> Although I saw a warning from SendMail folks that someone had tampered
> with the sendmail source, however, even this extreme event is caught
> very fast by folks that do diff of the old source and the new ones.
> Guess that's the main benefit of the compiling the source; apart from
> getting high on compiler/linker switches that scroll off of the screen!
> :-)

Vendors do this diff with their binaries too.

Note, in the latests sendmail issue.  Sendmail's source was tampered with,
however (use redhat as an example), their sendmail was fine.  So, who do
you trust more?

Eventually you have to marginally trust someone, or write your own OS.

Jeremy




More information about the buug mailing list