[linux-elitists] distributing software securely (was: DJB ruckus du jour)

Wayne Earl wayne@qconcepts.net
Wed Nov 13 16:30:18 PST 2002

On Wed, Nov 13, 2002 at 04:25:53PM -0800 or therabouts, john spurling wrote:
> software distributed as source is less secure than binaries because
> you can verify the integrity of either, but the former has external
> dependencies (build toolchain) that may have already been compromised
> (see also http://www.acm.org/classics/sep95/).

Now, it has been a long time since I've used any of djb's software
(having found vsftpd and postfix), but if I remember the build process
for djbdns correctly, djb only makes use of gcc as an external
dependency, with no external libraries. If gcc is trojaned, well, you
have bigger problems than the security of qmail.

Anyone a more recent djb software user (or have a clearer memory)?

> -john

Wayne Earl <wayne@qconcepts.net>
gpg public key: http://www.qconcepts.net/key.txt
gpg key fingerprint: 3CE4 0558 635E DADB 327C 73AB 11CA 9A6B B209 E8C5

More information about the linux-elitists mailing list