autoconf
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

security vs. configure

From: Tom Holroyd
Subject: security vs. configure
Date: Mon, 23 Apr 2001 15:22:17 +0900 (JST) 
Hi.  I'm curious what folks here think about the issue of security in
configure scripts.  We all know the hazards of downloading and running
random programs from the internet (especially binaries), but many people
often download and run "configure" and of course the app being configured.

This problem is getting much worse with people writing scripts and apps
that automatically download, configure, compile and install packages from
off the net.  Many large, critical apps (Python 2.1, for the most
recent example) are being distributed without cryptographic signatures.

Now of course there are several issues: do you trust the source of the
package?  Apps are usually big -- open source is great yada yada but
nobody does a security audit of a 4 meg download before typing "configure;
make".  Do you trust the system you are using?  This may seem like a silly
question but if an attacker has trojaned any of your configure tools then
the package you build and distribute can contain viruses.  In particular,
if you've ever downloaded and built a package with a configure macro
virus, packages that you create and distribute could be infected.

There are some possible solutions; cryptographic signing and signature
verification could be built-in to the configuration process.  The
configuration tools themselves can verify their own integrity before
building a package.

What do you think?  Is this a configure problem or should it be left to
"packagers"?  Can configure include tools that make such integrity
verification easier (and automatic)?  For example, "make dist" or whatever
could always create a GPG-signed file.

What other ways do you see to solve the problem of "configure" being that
"untrusted binary app" that's infected with a virus and nukes your server?

Dr. Tom Holroyd
"I am, as I said, inspired by the biological phenomena in which
chemical forces are used in repetitious fashion to produce all
kinds of weird effects (one of which is the author)."
        -- Richard Feynman, _There's Plenty of Room at the Bottom_
reply via email to
[Prev in Thread] Current Thread [Next in Thread]