Hello,
Peter Crowther wrote:
From: Vigorito, Nicholas E. [mailto:[EMAIL PROTECTED]
A coworker claims that all unix admins should never install
open source binaries. They should build using the source.
Binaries are marginally more open to tampering; this is why most (all?)
Apache projects provide checksums of the built packages. A cracker
would have to replace the binaries on the distribution machine *and*
tamper with the checksums that are held on a different machine. Or
they'd have to be part of the relevant build team, in which case they
may well be able to get their crack into the source anyway.
Source files have checksums too (and I don't think source files are less
open to tampering -- in fact it's probably easier to change something in
the source code). The safety provided by checking the checksums of a
binary package is more or less the same as that offered by checking the
checksums of the source packages (in the case when the people who
produce the packages are the same).
If you want to push the verification to a further level, we go back to
the argument that you must personally check each and every single line
of code -- simply infeasible.
The one thing you are forced to trust when you use a binary package is
the compiler with which it has been built. Most of the time, you don't
even need to worry about the libraries your application relies on, since
dynamic linking means that the binary application is going to use those
already on your system (which I guess you trust).
Perhaps binary packagers could say with which compiler their code has
been compiled, just in case you were worried about a particular compiler.
The real main advantage you get from building from source is to have a
binary executable that can be optimised for the target machine.
In the case of Tomcat, since it's all Java-based and it relies on the
JVM to do that, it does not really matter. It might help for the native
libraries.
Regards,
Bruno.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
