On Wed, 27 Nov 2002, Larry McVoy wrote:
> > What is the proper way to verify the kernel source before compiling?
> > There have been too many trojans of late in open source and free
> > software and I, for one, am getting paranoid.
>
> If it's in BK you can be pretty sure that it is what was checked in,
> BK checksums every diff in every file. It's not at all impossible
> to fool the checksum but it is very unlikely that you can cause
> semantic differences in the form of a trojan horse and still fool
> the checksums.
It depends on the checksum algorithm. If it's not `strong' (e.g. simple crc32),
I can easily add some specially tailored unused data to the code of which the
sole purpose is to make the checksum still match.
Gr{oetje,eeting}s,
Geert
-- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.orgIn personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Nov 30 2002 - 22:00:18 EST