| |||||||||||||
There's latent checking and spot checksThere's latent checking and spot checksPosted Dec 8, 2012 18:37 UTC (Sat) by coriordan (guest, #7544)In reply to: Stallman: Ubuntu Spyware: What to Do? by oever Parent article: Stallman: Ubuntu Spyware: What to Do?
> So GNU/Linux distributions *may* contain spyware. I am not aware of anybody that bothers to check.
There's lots of latent checking. When people look at the code for any reason, they might spot the spyware (if there is spyware).
And there are spot checks when there's a suspicion. Someone accused me last year of running a site which sent info to a third-party server. I checked the code (it was WordPress) and found that the person was wrong.
The risks are pretty high since one person can remove the spyware and distribute a spyware-free version, so the original developer will lose face and will cease to be the upstream source of the software. With risks that high, latent checking and spot checks are generally enough to dissuade developers from putting in spyware in the first place.
(Log in to post comments)
There's latent checking and spot checks Posted Dec 8, 2012 20:10 UTC (Sat) by ikm (subscriber, #493) [Link]
I believe OP meant that binary packages may not correspond to the sources they were supposed to be built from, and it's hard to check whether they actually do.
There's latent checking and spot checks Posted Dec 8, 2012 21:22 UTC (Sat) by oever (subscriber, #987) [Link]
Yes, I meant that it is hard to match binary to source. Publishing a binary with spyware and claiming that it corresponds to source code which has no spyware can go undetected.
In the above example of WordPress, I assume OP checked the production PHP code. Since WordPress is shipped only as source (as far as I know), this would rule out the presence of spyware in the site.
If the site was running a compiled CGI plugin, finding that the source code has no spyware, does not mean that the binary has no spyware. The spyware might even be in the apache binary.
|
|||||||||||||