> On Fri, Apr 14, 2006 at 01:04:05PM -0400, Eric Enright wrote: > >> That would work for source code, but would it for machine code? How >> could one peer review a binary package for anything other than "does >> what it says"? Going with the example Dennis gave earlier, if someone >> introduced a back door into something, say, MySQL, it could prove >> difficult to pick up with any amount of review. > > This is the advantage of having the source code repository be the > interface among contributors, with binaries built in some central, > presumably trusted, location and distributed from there. While it's > still difficult to trust that person/machine, at least you reduce the > problem from trusting N entities to trusting 1 (or some small number > of cooperating but mutually suspicious individuals). >
I think we are on the wrong list again. However .. there is always the possibility of inline assembly or even of binary code embedded in a data structure and then called via some pointer manipulation. Compiles fine. Cooks your server on April the 1st. -- Dennis Clarke _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
