Re: [Pan-users] Re: OT: freedomware vs... Was: Building Pan on Windows?

pan-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Pan-users] Re: OT: freedomware vs... Was: Building Pan on Windows?

From:	Steven D'Aprano
Subject:	Re: [Pan-users] Re: OT: freedomware vs... Was: Building Pan on Windows?
Date:	Sun, 7 Mar 2010 13:21:55 +1100
User-agent:	KMail/1.9.9

On Sun, 7 Mar 2010 05:48:26 am Alan Meyer wrote:

> I have to agree with some of your points.  On the issue of trust,
> for example, I trust that the open source software that I run is
> safe.  However I have found that a number of closed source
> programs I have installed on my Windows machines included
> spyware.  And those are the ones I was able to find out about.
> There may be many others that I didn't find out about that also
> include spyware.
>
> That's not to say that all authors of non-free software are
> untrustworthy, but without the source code we can't easily tell
> if they are trustworthy.

I'm not quite as vehement as Duncan, but as a general principle I agree 
with him. I also agree with you regarding the trustfulness of source vs 
binary-only distribution, *but* as a matter of practicality, who has 
the time or expertise to do a full code audit of all their applications 
and operating system? For all I know, Charles has inserted a cunning 
piece of software into Pan which monitors everything I type and sends a 
copy to him, and either nobody has spotted it or those who have are in 
on the plot...

(Paranoid? Are you working for them??? *wink*)

But even having access to the source code isn't itself enough to trust 
the software. You also need to have access to the compiler used to 
build the software. Not just the compiler itself, but the source code 
of that compiler, AND the source code of the compiler used to build the 
compiler. In short, you need to analyse the entire tool chain that 
builds the application.

The great Ken Thompson (co-inventor of Unix and inventor of B, the 
precursor to C) published a paper "Reflections on Trusting Trust" which 
describes how he subverted the C compiler to insert a backdoor to the 
login program:

http://en.wikipedia.org/wiki/Backdoor_(computing)#Reflections_on_Trusting_Trust
http://cm.bell-labs.com/who/ken/trust.html

I say all this, not to disagree with the basic premise that open source 
software is generally more trustworthy than closed source, or to 
disagree that transparency is valuable, but to point out that malware 
can come in many disguises.

-- 
Steven D'Aprano

[Prev in Thread]

Current Thread

[Next in Thread]

[Pan-users] Re: OT: freedomware vs... Was: Building Pan on Windows?, (continued)

Prev by Date: Re: [Pan-users] Re: OT: freedomware vs... Was: Building Pan onWindows?
Next by Date: Re: [Pan-users] Re: OT: freedomware vs... Was: Building Pan onWindows?
Previous by thread: Re: [Pan-users] Re: OT: freedomware vs... Was: Building Pan onWindows?
Next by thread: Re: [Pan-users] Re: OT: freedomware vs... Was: Building Pan on Windows?
Index(es):
- Date
- Thread