Re: Unofficial buildd network has been shut down
On 02 Sep 2004 22:35:21 -0700, Thomas Bushnell BSG <tb@becket.net> said:
> Colin Watson <cjwatson@debian.org> writes:
>> On Thu, Sep 02, 2004 at 09:51:52AM -0700, Thomas Bushnell BSG wrote:
>> > But that's neither here nor there; the Thompson point is that
>> > your tool can be corrupted too. :)
>>
>> While Thompson's point is valid as far as it goes, going to this
>> extent really seems to be in the realm of science fiction. If
>> you're being attacked by the Blight [1], you lose ...
> I think Thompson's point is that any known automated system of
> checking is easily defeated.
Easily? I think not. And a pursuit of perfect security is
amateurish; there is no such thing. Don't make perfect the enemy of
the good; it is extremely desirable to layer defenses, and even if
each layer is penetrable alone, the system as a whole may make the
return on effort not worthwhile for the attacker (and may set the bar
too high for less competent attackers).
In any case, doing automated chcking like this reduced the
window of vulnerability; the Thompson attack, for example, would have
to be have injected into gcc over a decade ago; and the window for
that attack is closed.
manoj
--
Q: What's the difference between a Mac and an Etch-a-Sketch? A: You
don't have to shake the Mac to clear the screen.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: