1998-11-23 - Re: Is Open Source safe? [Linux Weekly News]

Header Data

From: “Frank O’Dwyer” <fod@brd.ie>
To: Vlad Stesin <rmiles@Generation.NET>
Message Hash: 79e1364e6be690d2ccb9530503e2e3bf42997c72c9be8ebd09a3d8d29dcd6df6
Message ID: <36595F29.C39B997A@brd.ie>
Reply To: <Pine.SOL.3.96.981122232742.12779A-100000@sparkle>
UTC Datetime: 1998-11-23 13:49:11 UTC
Raw Date: Mon, 23 Nov 1998 21:49:11 +0800

Raw message

From: "Frank O'Dwyer" <fod@brd.ie>
Date: Mon, 23 Nov 1998 21:49:11 +0800
To: Vlad Stesin <rmiles@Generation.NET>
Subject: Re: Is Open Source safe? [Linux Weekly News]
In-Reply-To: <Pine.SOL.3.96.981122232742.12779A-100000@sparkle>
Message-ID: <36595F29.C39B997A@brd.ie>
MIME-Version: 1.0
Content-Type: text/plain



Vlad Stesin wrote:
> I don't quite understand the logic behind this. The fact that the
> program's source is available is itself a proof that there are no
> backdoors. Anyone can read the source code and make sure it's OK.

Anyone can, but does anyone? Also be aware that most people don't
compile from source--it would be easy to doctor the source, compile a
binary, and ship the trojan binary alongside the unmodified source.
 
> However, this argument does hold against non-OSS. 

Yes it does, but not quite in the same way. For example, I believe that
in days of yore some attackers managed to insert a back door into some
DEC OS by breaking into the coding environment (I don't recall the
details, does anyone else?). So in other words, not only _could_ this
happen with non-OSS, it _has_ happened, and no doubt it happens
reasonably often.

In short, this is a real problem, but it seems to be that the likes of
Linux ought to be able to leverage its decentralised and parallel
development model to address it in a more comprehensive manner than any
closed centralised model could ever hope to achieve. "Many eyes"
_should_ make for defence in depth against this--but it does look like
some process is needed, and the Linux folk will need some kind of
argument to convince people that it works. 

Perhaps a start would be for individuals to essentially certify software
that they had personally checked, offering repositories with detached
signatures for specific versions of software compiled in a certain way.
Software that hadn't yet been certified or which didn't match sufficient
independent signatures could then be referred to a human for checking,
and if it was OK then that version of the software could also be signed.
This would also serve as a highly visible "yes, we have checked this for
back doors" statement..."and here are 1,000s of signatures to prove it"
:)

Cheers,
Frank O'Dwyer.





Thread