[5116] in WWW Security List Archive
Re: Do you trust tools from GNU?
daemon@ATHENA.MIT.EDU (Dan Stromberg)
Wed Apr 16 17:15:31 1997
Date: Wed, 16 Apr 1997 11:45:15 -0700
From: Dan Stromberg <strombrg@hydra.acs.uci.edu>
To: "David W. Morris" <dwm@xpasc.com>
CC: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
This is silly.
The GNU stuff has been very trusthworthy, in practice, for years. I use
GNU tools almost every day of the year.
The fact that you get it over the net instead of off a shelf, doesn't
make it any less trustworthy. Why would it? If there's a problem, you
contact the ftp administrator and software maintainer, just like if
there's a problem in commercial software, you contact the store and the
vendor. It's the same thing.
Have you -ever- heard of someone inserting a trojan into GNU software?
If not, then why do people worry about it so much? (Hmmm...)
Now on the other hand, there have been many viruses for MS word. If the
world made sense, you'd be focusing on MS word documents instead.
David W. Morris wrote:
>
> The following was extracted from a post to another mail list. Consider the
> possible problems which could ensue if your trusted firewall vendor used a
> GNU compiler to produce the commercial firewall product and due to poor
> security on the part of the GNU team, the compiler was altered to produce
> security compromising code.
>
> While some of us may feel that we could carefully vet a piece of security
> related code, would we still believe that if we didn't trust our compiler?
>
> Dave Morris
>
> (It is of course possible that this did not come from a real member of
> the GNU project and their security policies may actually be more rigorous
> than your favorite security conscious commercial compiler vendor)
>
> -------------------- referenced post ----->
>
> Project GNU doesn't exactly count as a `vendor'; nor am I really
> an official representive.
>
> However, we internally use very little security, and 99.9% of the
> time that works fine. The fact that my passwords get sent cleartext
> across the net doesn't really bother me.
>
> It's true that I wouldn't send credit card information cleartext; but
> most information I have stored in my accounts isn't really that
> important to me. I'm not paranoid about protecting it anyway.
>
> As a practical matter, it's a huge inconvinience to me when I'm not
> root. Many other contributors to GNU feel that way, and I think
> that has something to with our decisions to configure our machines
> in a less than paranoid way.
>
> GNU doesn't really have any competiors per se. It's true that the
> NetBSD people tend to reimplement everything GNU does in order to
> remove restrictions related to proprietary derivatives; and it's
> true that those who write proprietary software are competitors
> in a way. But I would be quite happy if Netscape or Microsoft
> decided to use some of the code from [deleted to obscure identity
> slightly], as long as they
> follow the conditions of the GNU General Public License.
>
> Another thing: I hate firewalls. It's ridiculous spending hours
> to get a workstation to print, just because the printer is behind
> a firewall, and the workstation is outside.
>
> Especially when there aren't any other machines running any IP
> server software behind that firewall.
>
> [.... remainder deleted as it doesn't relate to my point]
