[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

Scripsit Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>

> There is no security as strong as many people reading the source over
> and over. You can't hack their brains to skip over the backdoor code
> and you can only obfuscate a backdoor so much.

I refer you to Ken Thompson's Turing award lecture. If someone who
really means business manages to compromise binary toolchain debs, all
the hackers in the world reading source over and over will not find
the backdoor.

(And "toolchain" here includes all code that is even marginally
involved in the process leading to itself being recompiled. Libc,
kernel images, lilo, dpkg, debhelper, perl, etc etc).

Henning Makholm                                   "No one seems to know what
                                       distinguishes a bell from a whistle."

Reply to: