> > A second option would be to create a wrapper gcc executable that
> > adds '-DOPENSSL_SYSNAME_WIN32' to the command line before passing it
> > on to the real gcc. While this seems not to violate the letter of
> > the Security Policy, it certainly seems shady.
> >
> > Anyone got a better idea?
> >
>
>
> Use the Microsoft compiler?
>
> If you really want to be FIPS compliant why are you using mingw?
> Some auditor might ask the same question.
In which way is using a closed source compiler where nobody knows
which backdoors it might add to the validated code better than
to use a wrapper executable for gcc? AFAIK it's the source code
and the build procedure, that has been certified, not the resulting
binary, or am I wrong here?
Regards,
Stefan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
