[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages removed from frozen

>>"David" == David Starner <dvdeug@x8b4e53cd.dhcp.okstate.edu> writes:

 David> Okay, any binary-only trojan could be found (in theory) by looking
 David> through the binary code. For something like GNAT, you even have
 David> the assembly code there to look through

         .Yeah, verrrry practical.

 David> What would it take to make you satisified with a security
 David> audit of such materials?

        For what conditions? For my home setup, this is not
 needed. For a Bank, that is not good enough. There is no one size
 fits all solution.

 David> Furthermore, since it sounds like you have more objections to
 David> the bootstrapping than just security, would it help to include
 David> intermediate source code in the source package? I.e. the C
 David> code resulting from oo2c being run over itself, or the
 David> assembly code from gcc or GNAT being run over itself?

        Not really, in the default case, since most suers do noit care
 that much for security.

        Instead, GNAT should be documented in the security FAQ as
 requiring a binary copy of gnat to build; and the potential therein
 of trojans (machine generated code is generally quite opaque; and a
 shorter loop would be harder to detect, having intermediate code does
 not add much to ease of detection.

 There are two times when a man doesn't understand a woman -- before
 marriage and after marriage.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: