[1294] in Kerberos
Re: Integrity of MIT source
daemon@ATHENA.MIT.EDU (Joe Pato)
Fri Mar 8 12:33:40 1991
From: pato@apollo.com (Joe Pato)
Date: Fri, 8 Mar 91 11:40:30 EST
To: tytso@ATHENA.MIT.EDU
Cc: jrc@snow-white.Lanl.GOV, kerberos@ATHENA.MIT.EDU
In-Reply-To: tytso@ATHENA.MIT.EDU, fri, 8 mar 91 11:24:46
security audit over the code. In this respect, vendor release of
Kerberos are likely to be worse, since you don't get the source code,
and so you have to take the vendor's word that there are no back doors.
I, personally, would rather take a look at the source code myself, and
assure myself that a piece of security-related is code is free of holes,
accidental or otherwise.
It may be true that a vendor does not release the source code to Kerberos - but
then again the vendor probably also does not release the source code to the OS
or to the login program or any other component of the trusted computing base.
-- Joe Pato
Cooperative Computing Division
Hewlett-Packard Company
pato@apollo.hp.com
-------
