Alan Hargreaves <[EMAIL PROTECTED]> wrote:
> Orvar Korvar wrote:
> > I know Solaris 10 is closed source and OpenSolaris is not. I think it will
> > be hard to review all code and compile it yourself to be sure against back
> > doors.
> >
> >
> Just because you have the code, can read it, and compile it yourself
> does not guarantee anything. Earlier in the thread David Dyer-Bennet
> recommended Ken Thompson's 1983 Turing Award Lecture - It's titled
> "Reflections on Trusting Trust" and you should be able to find it on
> google. This is definitely recommended reading for anyone who believes
> that simply having the source and the ability to compile it yourself is
> simply insufficient.
The attacks were based on a modified C-compiler.
The C-compiler would recognize login.c and the c-compiler source and
add trojan code to both programs.
A way to prevent this is requires two free and open compilers that are able
to compile each other. As long as it is not possible to infiltrate both
compiler teams, you could clean compiler binaries via a compilation with the
other one.
Jörg
--
EMail:[EMAIL PROTECTED] (home) Jörg Schilling D-13353 Berlin
[EMAIL PROTECTED] (uni)
[EMAIL PROTECTED] (work) Blog: http://schily.blogspot.com/
URL: http://cdrecord.berlios.de/old/private/ ftp://ftp.berlios.de/pub/schily
_______________________________________________
opensolaris-discuss mailing list
[email protected]
