[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages removed from frozen

On 09-Feb-2000, Manoj Srivastava <srivasta@debian.org> wrote:
>  Craig> Your security argument is a strawman.  The source code is still there,
>  Craig> and the binaries are signed by a Debian maintainer.
>         You have, obviously, no background in security.
>         There hae been trojans propogated in binaroes which depended
>  on themseleves wothout ever appearing in source code. 
>         Strawman, my foot.

I have plenty of background in compilers, and I can tell you that the
story you are almost certainly referring to (C compiler that inserts
code into login.c, and then into the C compiler when being recompiled)
was ficticious.  It was a story.  Very well told to make it seem very

If there is a *real* incident of this nature I'd be very interested to
get a reference to it.  There's no particularly reason why this couldn't
happen, except that it's a difficult and fragile way to propogate a
virus.  The story itself is supposed teach you that source code cannot
be fully trusted in the presence of binaries.

The quantum sort: 
	while (!sorted) { do_nothing(); }
Tyson Dowd   <tyson@tyse.net>   http://tyse.net/

Reply to: