Gentoo desktop?
Christopher Browne
cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Wed Jan 16 04:21:05 UTC 2008
On Jan 15, 2008 9:53 PM, Dave Germiquet <davegermiquet-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> I read it, but how could something like this happen nowadays?
>
> Don't a hundred eyes see the same code all the time because of "Open
> Source" or is the safety of open source an illusion?
>
> Because for example a linux made of millions and millions of lines of
> code so there could be hacks in any of them
The example that Thompson gives represents an attack that reading
source code doesn't mitigate.
For most code, a hundred eyes *don't* see the code, because there
aren't frequently hundreds of times as many people interested in
reading code than there are interested in writing code. And both are
usually a minority.
Scrutinizing the source code is not of zero value, and the *potential*
for scrutiny will discourage sorts of attacks that would be found by
such examination. But it is not a panacea, solving all problems.
I have considerable respect for those that read the sources, for those
that read the patch queues. That's of considerable value in
protecting projects from malicious intent. The illusion that watching
streams of "gcc -c foo.c -O4" wash across the screen is valuable in
any security sense seems pretty ridiculous, in comparison.
> > See <http://cm.bell-labs.com/who/ken/trust.html>
A conclusion that Thompson drew was that there were kinds of attacks
that would not be mitigated by examining the sources. Whether the
source code is open or not is completely immaterial to the matter.
--
http://linuxfinances.info/info/linuxdistributions.html
"The definition of insanity is doing the same thing over and over and
expecting different results." -- assortedly attributed to Albert
Einstein, Benjamin Franklin, Rita Mae Brown, and Rudyard Kipling
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list