RE: Binary release announcements?

[Greg A. Woods]

[ On Wednesday, February 18, 2004 at 10:21:41 (-0500), Jim.Hyslop wrote: ]
> Subject: RE: Binary release announcements?
>
> A perfect case in point is the recent thread about the Windows build being
> broken - again. I've been through this many times with various open source
> projects, and trying to get the software to build just is not worth the
> hassle involved if there's a pre-built binary available from a site I trust
> (there's that word again).

You're drastically confusing the concepts involved here.

If you can't, or won't, build the software you use yourself then you
need to find someone who can _and_ who you trust to do that for you.

Perhaps that's some big software company like Microsoft.

Perhaps it's just some group of volunteers who stake their reptuations
on the quality of the software they create (even though most every one
will disclaim all responsibility for damages or loss you might incur
when using their software  :-).

What I'm trying to say is that with some project like CVS here, where
the primary development and testing is _not_ done on the platform most
binary users want binaries for, and where even the build of the binary
offered up isn't done by the same people who create the official source
releases, the web of trust starts to get pretty thin and wobbly.  The
fact the recent M$-Windoze build was busted "out-of-the-box" so to speak
is perfect evidence as to why even an apparently unroken build should
not be trusted -- it has clearly not even been tested (IIUC)!

Of course my ranting on about security awareness to people who don't
want to be aware of security issues and who don't want to pay to be
secure, is no doubt only annoying those who are aware and who are
willing to pay the price.

> I trust that the maintainers of the cvshome web site will not knowingly do
> anything malicious, and will act quickly to remove anything from the web
> site that they learn is malicious.

The problem with computers and digital networking is that the malicious
acts can be perpetrated several steps removed from where one might
expect them to happen and by the time anyone's aware of what's happened
it's far too late because these speedy little machines and wire's we've
created have already spread the damage further and wider than any human
could ever imagine possible without understanding the many quantum leaps
computing technology gives the criminal.

PLEASE read Schneier's book "Secrets & Lies".

> And then there's the question of competence. I know we're talking
> specifically about CVS here, which is not a hugely complex program, but your
> statements above are very general. There are certain programs I simply am
> not qualified to judge whether or not the source code is correct - GPG, for
> example. I have no choice but to trust that the source code is correct.
> There's no point in me even looking at the code. So, if I'm not even going
> to look at the code, why should I have to compile it from source if there's
> a pre-built binary available?

That's what web's of trust are all about.  You can hopefully trust GPG
because a bunch of extremely paranoid experts trust it.  You trust a
GPG-signed CVS source archive because you can verify it's signature with
GPG.  You trust the person who signed the archive because you can link
that signature to others who trust that person and because you can view
the changes that are in that archive vs. the last release that you came
to trust by some manner.  You don't even have to view those changes or
pay someone to view them for you -- the mere fact that you can, and that
anyone can and almost certainly has, is what gives you confidence that
if anything bad had slipped in then it would be quickly identified and
ripped out again.

However if you just download a binary off the net from somewhere, even
one that's signed by the builder, then you have no idea what's in it
(because you might not be able to trust the tools used to build the
binary, and maybe the person who did the build doesn't even use what he
or she built on a daily basis).  About the only safe way to validate a
binary build is to build another binary using a trusted set of tools
that match the tools the original was claimed to have been built by, and
to then compare the resulting binaries (allowing for innocuous
differences that might be introduced by temporal or locale differences
in the build process).  So, if you can do that then you can do the build
yourself in the first palce.  Of course there's still the trojan
compiler problem, but you have to start somewhere and you have to remain
on the lookout for things going wrong no matter how much you trust your
tools.

-- 
                                                Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <address@hidden>
Planix, Inc. <address@hidden>          Secrets of the Weird <address@hidden>