[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is Open Source software really more secure?

On Sun, Oct 08, 2000 at 07:00:59PM -0400, Daniel Jacobowitz typed:
} On Sun, Oct 08, 2000 at 02:34:16PM -0700, Paul Lowe wrote:
} > When was the last time someone looked over the entire code base of mySQL to
} > make sure it didn't have a trojan inside? I mean hey, theoretically, who
} > goes over source code? Reading other programmer's source is both painful and
} > difficult. It would not be hard for someone to release a oss package,
} > announce it on freshmeat, have it distributed to thousands of people -- and
} > have malicious code inside it. I mean, hey, do you always read the Makefile
} > to make sure it doesn't contain a line that says "rm -rf /" for "make
} > install"?
} When?  Probably in the last month or so.
} People actually do audit these things.  

There's a Linux security auditing project, actually.  That's how 
recent traceroute, syslogd, man (RedHat's, anyways), lpr, and lprng 
string format attacks and such were discovered.

} Not before they get posted to
} freshmeat, but I'm dubious about things from random sites anyway...
} it's a survival trait.  

Such as the ssh 1.2.28 rpm that was passed around and probably (though 
I don't know for sure) made it to rpmfind.net.  It was a bogus rpm, 
and of course trojaned.

} Packaged programs in distributions are
} generally fairly well looked-over and tested.

Yup.  I like how Debian is like that: over 5,400 some packages within 
Debian (e.g. done by actual Debian developers, as opposed to random 
people as is the case with most rpms).

An Thi-Nguyen Le
|It is only people of small moral stature who have to stand on their dignity.

Reply to: