[buug] Gentoo, Bluecurve and Linux too!

Michael Salmon ms at formulae.org
Fri Oct 18 12:10:26 PDT 2002 

On Fri, Oct 18, 2002 at 11:53:40AM -0700, Patrick Soltani wrote:
>  Do you read the source before you 
> > compile it? Would
> > you catch a backdoor, buffer overflow, trojan if you did? 
> 
> Yes and No.
> Yes, I check the source code usually thru MD5 finger prints, or pgp signatures.
> Also depending on the time I have, I browse thru the code.  Do I catch the backdoors, trojans, etc, may be not, but diffing with the older version usually tells you what's up.

and how are you sure the md5 hash hasn't been tampered with?
Having an md5 signature is only done on compressed packages (.tar, etc),
this usually stops you from doing such things as diffing with older versions.
Basically I doubt you would do such a thing without keeping the application
tracked with cvs.

I suggest you read the classic paper "Reflections on Trusting trust" by
Ken Thompson. If you happened to have read it already, read it again because
you didnt understand it.

> With binary you don't have the option! with source you do. that's all.
> Oh one more thing, when something does not work, or works as you don't expect it, you can fiddle with the source, but you have NO OPTIONS with binaries.

I disagree. I will make the observation that we are talking about open source
software, which if you have a binary for that would imply you can also
get the source for what made the binary. So then simply uninstall the binary
if it is giving you grief, get the src for it, and bash your head against it.

  
> > In the past 6
> > months we've seen both Sendmail and OpenSSH source distributions
> > backdoored, in the past tcp_wrappers and others. In fact, the OpenSSH
> > trojan was a compile time exploit -- building your own SSH 
> > was the only
> > way to get hit by that, a binary package would have been safe!
> 
> I don't blindly trust the source code either.  After the compile, built and TESTING, I then roll it out.  Remember that catching backdoor, trojans, worms, etc, is possible with good firewall filtering, IDS, coupled with good tcpdumping. 
> 
> Again, I don't disagree with you on the point raised, however, I believe we have more tools in our arsenal to deal with that when you have the source code.
> 
> 
> Regards,
> Patrick Soltani.
> 
> _______________________________________________
> Buug mailing list
> Buug at weak.org
> http://www.weak.org/mailman/listinfo/buug

More information about the buug mailing list