Re: Packages removed from frozen
On 09-Feb-2000, Manoj Srivastava <srivasta@debian.org> wrote:
> Craig> Your security argument is a strawman. The source code is still there,
> Craig> and the binaries are signed by a Debian maintainer.
>
> You have, obviously, no background in security.
>
> There hae been trojans propogated in binaroes which depended
> on themseleves wothout ever appearing in source code.
>
> Strawman, my foot.
I have plenty of background in compilers, and I can tell you that the
story you are almost certainly referring to (C compiler that inserts
code into login.c, and then into the C compiler when being recompiled)
was ficticious. It was a story. Very well told to make it seem very
real.
If there is a *real* incident of this nature I'd be very interested to
get a reference to it. There's no particularly reason why this couldn't
happen, except that it's a difficult and fragile way to propogate a
virus. The story itself is supposed teach you that source code cannot
be fully trusted in the presence of binaries.
--
The quantum sort:
while (!sorted) { do_nothing(); }
Tyson Dowd <tyson@tyse.net> http://tyse.net/
Reply to: