Re: Packages removed from frozen
>>"David" == David Starner <firstname.lastname@example.org> writes:
David> Okay, any binary-only trojan could be found (in theory) by looking
David> through the binary code. For something like GNAT, you even have
David> the assembly code there to look through
.Yeah, verrrry practical.
David> What would it take to make you satisified with a security
David> audit of such materials?
For what conditions? For my home setup, this is not
needed. For a Bank, that is not good enough. There is no one size
fits all solution.
David> Furthermore, since it sounds like you have more objections to
David> the bootstrapping than just security, would it help to include
David> intermediate source code in the source package? I.e. the C
David> code resulting from oo2c being run over itself, or the
David> assembly code from gcc or GNAT being run over itself?
Not really, in the default case, since most suers do noit care
that much for security.
Instead, GNAT should be documented in the security FAQ as
requiring a binary copy of gnat to build; and the potential therein
of trojans (machine generated code is generally quite opaque; and a
shorter loop would be harder to detect, having intermediate code does
not add much to ease of detection.
There are two times when a man doesn't understand a woman -- before
marriage and after marriage.
Manoj Srivastava <email@example.com> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C