SELinux removed from desktop cd spin?
Matthew Saltzman
mjs at CLEMSON.EDU
Wed Jan 23 16:07:05 UTC 2008
On Wed, 2008-01-23 at 08:02 -0600, Les Mikesell wrote:
> Matthew Saltzman wrote:
>
> >>> But the NSA would be at least as capable of introducing a hack that you
> >>> could examine but not see as Ken Thompson:
> >>> http://www.everything2.com/index.pl?node=Reflections%20On%20Trusting%20Trust
> >>>
> >>> I'd expect them to even be able to conspire with the CPU vendors to have
> >>> certain undocumented opcode sequences do magical things.
> >> Sure. You can believe whatever you want to. I am merely stating a fact
> >> that the bar to do this with open source software is way higher than
> >> proprietary software and in fact is the highest that anyone can
> >> practically go.
> >
> > Also, in order to carry out a hack like that, you have to infect the
> > toolchain somewhere along the line, so that everyone building the code
> > is doing so with infected compilers.. With open-source code and an
> > open-source toolchain, that seems pretty unlikely.
> >
> > Or are you suggesting, Les, that everyone's copy of gcc is derived from
> > one built by the NSA and smuggled into RMS's lab at some point in its
> > early history?
>
> How many people have contributed code and how much do you know about
> them or their motives? But a more likely target would be the CPU
Rahul's point (as I take it) is that at least OSS code gets a fair
amount of peer review by a wide variety of people who don't necessarily
share the NSA's nefarious motives. Way more than can be expected from
proprietary code. (Think Diebold...) My point is that infecting an
open-source toolchain is much harder than infecting a proprietary one,
for the same reason.
I'll certainly acknowledge that there is no such thing as perfect
security.
> companies since there are only a couple that matter and this could make
> the compiler portion pretty much invisible. Is that any more paranoid
> than thinking the major communication companies all have government taps
> for everything passing through or that cell phones are all rigged so the
> government can locate and listen at any time?
Probably not...
>
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
More information about the fedora-devel-list
mailing list