[plug] Idea for a Talk

John Summerfield summer at os2.ami.com.au
Mon Nov 23 09:39:14 WST 1998


On Sun, 22 Nov 1998, Christian wrote:

> Hi all,
> 
> I was reading an article by Bruce Perens on Linux Weekly News where he
> suggests that the software we use could possibly be compromised by an
> author (or patch submitter) including a trojan horse into the code.  As
> part of the solution he suggests educating people on the use of public
> key encryption in LUGs.  For the full article see:
> 
> http://www.lwn.net/1998/1119/Trojan.html
> 
> Perhaps this might be a good suggestion to follow up on and someone with
> the appropriate expertise could give a talk on it at an upcoming
> meeting?

I've not read the article (and as I'm offline just jow, probably won't).
However, it's a question that I've mulled over from time to time over the
years. I can imagine that encryption and digital signatures may help in
indifying the source but...

No digital identification's any better than the identification provided to
register it.

Assuming I know the name and address of sume criminal in, say, Russia. What
then?

I earnestly hope that by limiting myself to well-known ftp sites and
well-known packages, that I afford myself some protection.

More recently I've been downloading source rpms (I run RedHat) and
rebuilding the rpms. In this manner I am sure I have the source that builds
the rpm I install.

The question of who to trust is tricky. We all choose to trust the
distributor of our Linux distrubution. Most of us will also trust sites
such as sunsite.unc.edu, sendmail.org, isc.org (home of bind). However,
anyone who trusts os2.ami.com.au is taking a risk.

Note I cite my own machine NOT because it's full of trojan horses, virii
and other undesirables, but because none of you has any particilar reason
to assume anything you find there is as blameless as you'd like to think.

Cheers
John Summerfield
http://os2.ami.com.au/os2/ for OS/2 support.
Configuration, networking, combined IBM ftpsites index.



More information about the plug mailing list