On Sun, Oct 08, 2000 at 07:00:59PM -0400, Daniel Jacobowitz typed: } On Sun, Oct 08, 2000 at 02:34:16PM -0700, Paul Lowe wrote: } > When was the last time someone looked over the entire code base of mySQL to } > make sure it didn't have a trojan inside? I mean hey, theoretically, who } > goes over source code? Reading other programmer's source is both painful and } > difficult. It would not be hard for someone to release a oss package, } > announce it on freshmeat, have it distributed to thousands of people -- and } > have malicious code inside it. I mean, hey, do you always read the Makefile } > to make sure it doesn't contain a line that says "rm -rf /" for "make } > install"? } } When? Probably in the last month or so. } } People actually do audit these things.
There's a Linux security auditing project, actually. That's how recent traceroute, syslogd, man (RedHat's, anyways), lpr, and lprng string format attacks and such were discovered. } Not before they get posted to } freshmeat, but I'm dubious about things from random sites anyway... } it's a survival trait. Such as the ssh 1.2.28 rpm that was passed around and probably (though I don't know for sure) made it to rpmfind.net. It was a bogus rpm, and of course trojaned. } Packaged programs in distributions are } generally fairly well looked-over and tested. Yup. I like how Debian is like that: over 5,400 some packages within Debian (e.g. done by actual Debian developers, as opposed to random people as is the case with most rpms). -- An Thi-Nguyen Le |It is only people of small moral stature who have to stand on their dignity.
