[Sussex] Something for our Gentoo users
Steven Dobson
steve at dobson.org
Wed Sep 6 15:11:27 UTC 2006
Colin
On Wed, 2006-09-06 at 15:01 +0100, Colin Tuckley wrote:
> Something for all the Gentoo users out there who believe that building from
> source gives you a safer system.
>
> http://www.acm.org/classics/sep95/
>
> Hint: look at the date and the author for an idea on how seriously this
> should be taken.
How are Gentoo users any better off than the rest of us binary
distrobution fokes?
Thompson's morel is "[y]ou can't trust code that you did not totally
create youself." Having not done a Gentoo build process, I'm guessing
here, but the first step has to be some kind of "get a set of program
binary, including the compiler, so you can start compiling." By down-
loading these binaries you could be downloading a Trojan compiler too.
First we compile the modified [C compiler] source with the
normal C compiler to produce a bugged binary. We install this
binary as the official C [compiler]. We can now remove the bugs
from the source of the compiler and the new binary will reinsert
the bugs whenever it is compiled.
So if the first compiled with a compiler that you didn't "create
yourself" then you can't trust the compiler you've compiled. So no
better off!
Steve
More information about the Sussex
mailing list