On Mon, Aug 21, 2000 at 03:08:49PM -0400, Noah L. Meyerhans wrote: > You can't. Period. Same goes for source. Same goes for commercial > binaries. Same goes for any code you haven't read (or had someone you > thoroughly trust read).
Agreed. However, the classic statement on the subject is even stronger: http://www.acm.org/classics/sep95 It's Ken Thompson's "Reflections on Trusting Trust": "The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code." -- Bob Bernstein at Esmond, R.I., USA
