[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages removed from frozen

[Trying to bring light instead of heat this time, so if you could
put aside the flame thrower for a second . . . ]
On Wed, Feb 09, 2000 at 05:38:35PM -0600, Manoj Srivastava wrote:
>         Trust me. Unless the author of the trojan hack has already
>  infected Digital UNIX cc, HPUX cc, AIX cc, there is not trojan
>  carried through purely in the binary. (Oh, and the digital unic CC
>  was also bootstrapped with the VMS CC)
>         Did you think I would give teh dispensation to gcc so easily?
>  Any such trojan, in gcc, has to be present in the source code. And
>  people who are paranoid enough can do a security audit with out being
>  blind sided by a binary only trojan.

Okay, any binary-only trojan could be found (in theory) by looking
through the binary code. For something like GNAT, you even have
the assembly code there to look through. What would it take to make
you satisified with a security audit of such materials?

Furthermore, since it sounds like you have more objections to the
bootstrapping than just security, would it help to include intermediate
source code in the source package? I.e. the C code resulting from oo2c
being run over itself, or the assembly code from gcc or GNAT being run
over itself?

David Starner - dstarner98@aasaa.ofe.org
Only a nerd would worry about wrong parentheses with
square brackets. But that's what mathematicians are.
   -- Dr. Burchard, math professor at OSU

Reply to: