[5082] in WWW Security List Archive
Do you trust tools from GNU?
daemon@ATHENA.MIT.EDU (David W. Morris)
Tue Apr 15 22:57:32 1997
Date: Tue, 15 Apr 1997 14:40:41 -0700 (PDT)
From: "David W. Morris" <dwm@xpasc.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
The following was extracted from a post to another mail list. Consider the
possible problems which could ensue if your trusted firewall vendor used a
GNU compiler to produce the commercial firewall product and due to poor
security on the part of the GNU team, the compiler was altered to produce
security compromising code.
While some of us may feel that we could carefully vet a piece of security
related code, would we still believe that if we didn't trust our compiler?
Dave Morris
(It is of course possible that this did not come from a real member of
the GNU project and their security policies may actually be more rigorous
than your favorite security conscious commercial compiler vendor)
-------------------- referenced post ----->
Project GNU doesn't exactly count as a `vendor'; nor am I really
an official representive.
However, we internally use very little security, and 99.9% of the
time that works fine. The fact that my passwords get sent cleartext
across the net doesn't really bother me.
It's true that I wouldn't send credit card information cleartext; but
most information I have stored in my accounts isn't really that
important to me. I'm not paranoid about protecting it anyway.
As a practical matter, it's a huge inconvinience to me when I'm not
root. Many other contributors to GNU feel that way, and I think
that has something to with our decisions to configure our machines
in a less than paranoid way.
GNU doesn't really have any competiors per se. It's true that the
NetBSD people tend to reimplement everything GNU does in order to
remove restrictions related to proprietary derivatives; and it's
true that those who write proprietary software are competitors
in a way. But I would be quite happy if Netscape or Microsoft
decided to use some of the code from [deleted to obscure identity
slightly], as long as they
follow the conditions of the GNU General Public License.
Another thing: I hate firewalls. It's ridiculous spending hours
to get a workstation to print, just because the printer is behind
a firewall, and the workstation is outside.
Especially when there aren't any other machines running any IP
server software behind that firewall.
[.... remainder deleted as it doesn't relate to my point]
