What happened did not happen from inserting bad code into the program but from putting bad code into the build scripts.
This was detected pretty quickly from what I've seen and even then the code is only activated at recompilation time. The bad scripts were put onto the ftp server. I have to admit that rebuilding the program could not happen with proprietary software so that the actual process of rebuilding would not ever happen. But even with shareware etc the installation files using something like Installshield or MSI these could be compromised in a similar fashion. The point is that the development process was not compromised but the ftp server was. On Thu, 2002-10-10 at 09:26, Jeremy Bertenshaw wrote: > So how did those precautions stop what happened in the > sendmail case? > > jeremyb. > > > From: Zane Gilmore <[EMAIL PROTECTED]> > > Date: 2002/10/10 Thu AM 09:24:20 GMT+13:00 > > To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > > Subject: Re: Re: Sendmail 8.2.16 Contains Trojan Horse > > > > No it isn't, > > The people who look after these projects will be using a tool called > > diff (see man diff) > > Whenever any changes are put into the source tree then those changes are > > gone over with a fine toothed comb. > > Unknown people as a general rule are not allowed to put source code into > > the main tree without *the changes* being checked. > > One does not have to rummage through "millions of lines of code" > > > > > -- Zane Gilmore, Analyst / Programmer Information Services Section, Information Technology Dept, University of Canterbury Private Bag 4800 Christchurch New Zealand phone +64-3-364 2987 extn 7895 Fax 3642222
