On 09/22/2016 06:28 AM, Carlos E. R. wrote:
That's the only alternative I see, build it myself locally. But no, I can not simply install it. Not from a home repo that I do not know who made it. Home repos are not for use unless the owner tells you it is safe and ok.
Suuuuuuure! The owner is the guy that (re-)coded it and inserted the trojan. He's the one guy that you can ABSOLUTELY be sure will say "yea, there's nothing wrong with my code, there's no bugs, there's no back-doors, thre's no trojans" while sniggering at you. Of course you *HAVE* to build it yourself. Of course you *HAVE* to pour over each line of code and figure out all the interactions and side effects. Of course you have to have a complete mastery of not just the programming language and all the libraries and includes, which you have poured over in detail as well, but the complier and compiler sub-system to make sure its not suffering from the Thompson Effect: https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html <quote> The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect. </quote> I will admit that I did read and understand the code for the V6 kernel, thank you John Lyons. I did read and understand the code for the V7 kernel and many UNIX utilities at that level since I was employed for a few years maintaining them, along with some USB utilities we -ahm - 'imported'. I reviewed SYSTEM III and sampled the code, and felt that the Bell UNIX Systems group had taken a step backwards. In particular, the code for 'more' in BSD was, why typical 'student' coding, quite direct, the USG version was pure spaghetti. One the basis of the code I read I trusted the 'professionals' at USG less that I trusted the group of individuals that produced V6 & V7 and the 'kids and academics' at Berkeley who had produced BSD. Later, seeing the "dialogue" and VAX-Wars between Bill Joy, who was producing the free software of BSD for the VAX, and Dave Cutler, who designed and produced RSX-11M, VMS and VAXELN at Digital Equipment and later went on to develop NT at Microsoft, where the 'open' BSD that Joy was using could be tuned and improved and using a HLL (OK, 'C') faster and better than Cutler could do in assembler for VMS, it pretty much destroyed my fair in 'professional' and 'closed source' systems. I gave up at that point. From then on I relied on automation. There's a quotation one of my university profs employed: If a better system is thine, impart it if not, make use of mine. So I use Linux. One final question, Carlos. Presumably you have installed openSuse from the supplied binaries on the DVD or via the network, update binaries via the repository. Presumable you trust the people who contribute their time to build these. How do you differentiate these people from the ones that use the Build System and put the results in "home:" ? -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org