On Mon, 2004-07-12 at 16:17 +0200, Norbert Bollow wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Paolo Molaro <[EMAIL PROTECTED]> wrote: > > > > Is this an attempt to spread FUD (Fear, Uncertainty and Doubt) about > > > the DotGNU Portable.Net (pnet) system, or did you honestly write the > > > above without thinking about the matter first? > > > > It's not FUD, it's just the reality: if people think that using pnet is > > safer wrt a possible trojan injected by MS, they are deluding > > themselves (and showing they don't know much about security). > > You claimed that MS had more opportunity to inject a trojan into > our system than they had for injecting a trojan into yours, thereby > implying that that would have been possible for them. Since the kind > of attack which was under discussion is possible only with compilers > which are used to compile themselves (which is the case with mono's > compiler but not with the DotGNU Portable.Net system), the statement > which you made is FUD and you owe us an apology for it. > > > Unless the C compiler (for example) was trojaned by the Console.WriteLine() > > implementation (emitted by the hyphotetical trojaning MS compiler) when > > the first tests were run with pnet. So the moment you ran untrusted code > > on the system, it doesn't matter if you bootstrap from C or from C#. > > Even more FUD. Even if (as you seem to imply) a hypothetical > trojaning MS compiler had trojaned early pnetlib builds in a way which > exploits some kernel security hole on GNU/Linux systems to gain root > privileges to modify the C compiler installation on that machine, that > would not have affected the binaries which we distribute today because > they're built on other machines which have probably never received > _any_ binaries from the machines where the early tests were done. (If > in your opinion the "probably" above isn't good enough, let me know; I > can easily enough do a round of builds on machines where I can guarantee > this to be the case.) > > > Just as a summary, since people seem to be sensitive about these issues: > > *) I don't think MS has trojaned either mono or pnet > > *) if they could have trojaned mono, they could have done the same to pnet > > *) since the trojaning of both systems is theoretical it's not easy to > > say which one of the two could be more likely, but feel free to discuss > > it in the [EMAIL PROTECTED] list:-) > > I do think that the (at least theoretical) possibility of trojaned > self-compiling compilers should be on the "long list of potential > issues to take into consideration". I do not think that it is > appropriate to single out MS as the only potential attacker. > > I believe that good security can be achieved only by taking into > consideration all possible attacks from all possible attackers. Is > the Mono project leadership in disagreement with this view? > > Greetings, Norbert. > > - -- > Founder & Steering Committee member of DotGNU, see http://dotgnu.org/ > Free Software Business Strategy Guide ---> http://FreeStrategy.info > Norbert Bollow, Weidlistr.18, CH-8624 Gruet (near Zurich, Switzerland) > Tel +41 1 972 20 59 Fax +41 1 972 20 69 http://norbert.ch > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > > iD8DBQFA8p0uoYIVvXUl7DIRAtyCAKDVHhHRr2zfqivIoejt1JWSWoVf4ACgsNEB > I2A4ZMmPczZ9bexxWGvw8sM= > =0Kuz > -----END PGP SIGNATURE-----
Just out of curiosity, who the hell cares? Neither one is trojaned. Lets just move on. --Todd _______________________________________________ Mono-list maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/mono-list
