[buug] Gentoo, Bluecurve and Linux too!
Patrick Soltani
psoltani at ultradns.com
Fri Oct 18 11:53:40 PDT 2002
> Blindly compiling packages is no more secure than using
> distribution binaries. You gain no inherent security through
> the act of
> running GCC yourself.
No arguments here
Do you read the source before you
> compile it? Would
> you catch a backdoor, buffer overflow, trojan if you did?
Yes and No.
Yes, I check the source code usually thru MD5 finger prints, or pgp signatures.
Also depending on the time I have, I browse thru the code. Do I catch the backdoors, trojans, etc, may be not, but diffing with the older version usually tells you what's up.
With binary you don't have the option! with source you do. that's all.
Oh one more thing, when something does not work, or works as you don't expect it, you can fiddle with the source, but you have NO OPTIONS with binaries.
> In the past 6
> months we've seen both Sendmail and OpenSSH source distributions
> backdoored, in the past tcp_wrappers and others. In fact, the OpenSSH
> trojan was a compile time exploit -- building your own SSH
> was the only
> way to get hit by that, a binary package would have been safe!
I don't blindly trust the source code either. After the compile, built and TESTING, I then roll it out. Remember that catching backdoor, trojans, worms, etc, is possible with good firewall filtering, IDS, coupled with good tcpdumping.
Again, I don't disagree with you on the point raised, however, I believe we have more tools in our arsenal to deal with that when you have the source code.
Regards,
Patrick Soltani.
More information about the buug
mailing list