Re: Packages removed from frozen

To: Manoj Srivastava <srivasta@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Packages removed from frozen
From: Tyson Dowd <trd@cs.mu.OZ.AU>
Date: Thu, 10 Feb 2000 13:13:23 +1100
Message-id: <20000210131323.C3103@cs.mu.oz.au>
Mail-followup-to: Manoj Srivastava <srivasta@debian.org>, debian-devel@lists.debian.org
In-reply-to: <87900uue1k.fsf@glaurung.green-gryphon.com>; from Manoj Srivastava on Wed, Feb 09, 2000 at 05:55:19PM -0600
References: <20000128161610.A13321@xs4all.nl> <8766w1557j.fsf@raven.localnet> <87900wsu4l.fsf@glaurung.green-gryphon.com> <20000208004137.F31134@gaia.pp.sci.fi> <87aelcqlj7.fsf@glaurung.green-gryphon.com> <87zotc5c2p.fsf@piracy.red-bean.com> <871z6m1v9s.fsf@glaurung.green-gryphon.com> <87900u2q62.fsf@piracy.red-bean.com> <87900uue1k.fsf@glaurung.green-gryphon.com>

On 09-Feb-2000, Manoj Srivastava <srivasta@debian.org> wrote:
>  Craig> Your security argument is a strawman.  The source code is still there,
>  Craig> and the binaries are signed by a Debian maintainer.
> 
>         You have, obviously, no background in security.
> 
>         There hae been trojans propogated in binaroes which depended
>  on themseleves wothout ever appearing in source code. 
> 
>         Strawman, my foot.

I have plenty of background in compilers, and I can tell you that the
story you are almost certainly referring to (C compiler that inserts
code into login.c, and then into the C compiler when being recompiled)
was ficticious.  It was a story.  Very well told to make it seem very
real. 

If there is a *real* incident of this nature I'd be very interested to
get a reference to it.  There's no particularly reason why this couldn't
happen, except that it's a difficult and fragile way to propogate a
virus.  The story itself is supposed teach you that source code cannot
be fully trusted in the presence of binaries.

-- 
The quantum sort: 
	while (!sorted) { do_nothing(); }
Tyson Dowd   <tyson@tyse.net>   http://tyse.net/

Reply to:

Follow-Ups:
- Re: Packages removed from frozen
  - From: Chris Lawrence <quango@watervalley.net>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>

References:
- Re: Packages removed from frozen
  - From: Rob Browning <rlb@cs.utexas.edu>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Packages removed from frozen
  - From: Antti-Juhani Kaijanaho <gaia@iki.fi>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Packages removed from frozen
  - From: Craig Brozefsky <craig@red-bean.com>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Packages removed from frozen
  - From: Craig Brozefsky <craig@red-bean.com>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Re: Packages removed from frozen
Next by Date: Re: duplicate bug reports
Previous by thread: Re: Packages removed from frozen
Next by thread: Re: Packages removed from frozen
Index(es):
- Date
- Thread