ok, the longer version then
ok, the longer version then
Posted Jun 2, 2006 20:17 UTC (Fri) by coriordan (guest, #7544)In reply to: trust, GCC, and Ken Thompson's compiler trojan thesis by jabby
Parent article: GNU grep's new features (Linux.com)
I agree with Ken that no one can verify all the code, but access to the source is better than no access to the source, and knowing that everyone has access to the source, and can analyse it in any way they want, and that if one person finds a trojan, they can remove it and publish the patch, is probably as good as it gets.
It's not perfect, and some trust is still required, but that is a fact of life and cannot be avoided. All we can do is aim for "as good as it gets" - and that involves the four freedoms.
When I was writing that paragraph in my blog, I wondered if I should go into the explanation, but I decided against because it was supposed to be a paragraph about GCC.
Posted Jun 2, 2006 20:32 UTC (Fri)
by jabby (guest, #2648)
[Link]
And your paragraph in the context of GCC is not incorrect. It's absolutely true that Free Software helps to prevent source-borne trojans. Only in the context of the whole ACM article does this argument fall short and, as you say, that was not your aim in your short "top 10" list.
I agree. Access to source is a huge advantage. And keeping source code in a version control system goes a long way toward monitoring changes and preventing even the fully baked Ken Thompson exploit.ok, the longer version then