From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 1BA2713877A for ; Thu, 7 Aug 2014 16:06:40 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8468EE08EA; Thu, 7 Aug 2014 16:06:36 +0000 (UTC) Received: from mail-pd0-f171.google.com (mail-pd0-f171.google.com [209.85.192.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id BE5E6E0851 for ; Thu, 7 Aug 2014 16:06:35 +0000 (UTC) Received: by mail-pd0-f171.google.com with SMTP id z10so5463092pdj.2 for ; Thu, 07 Aug 2014 09:06:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=LyaxEGDpr8pKoKtR+nR/xH5+/CA+iEXDl2Bra4CVqjc=; b=ay95n0uLRRgi1P7kIVZ8hsgPquGXZ5dDA7J+YAFqk5+Js1D7iBHY005XS2Cz41/IJU pPqWyYJGZQPN0VWeOnZQ5BCY0PZbwduXwfLe8IpLksCjLY64oxi49mZZlXzP5BMREO7d pXXiUO1JlweSAMKLvLVYlXzCquUxocCi+MriGUdtqm27uMq8dZnxpfW8MTaDoPCeQXtt 3aKiSj/0UOxA0LYjb8VPRO8jB4BHVNZ+9wCdYa1cWBARlyqIiVpA0sH0i9Lh/Elu83xf jNdWbwzvLjduuKSYR9cKEPrRnChfLyIvU2RcDo0AkFaI2ocXIL45gNteoPQOtIm0Kms0 OjJA== X-Received: by 10.68.229.193 with SMTP id ss1mr2822770pbc.158.1407427594675; Thu, 07 Aug 2014 09:06:34 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-amd64@lists.gentoo.org Reply-to: gentoo-amd64@lists.gentoo.org MIME-Version: 1.0 Received: by 10.70.35.11 with HTTP; Thu, 7 Aug 2014 09:06:14 -0700 (PDT) In-Reply-To: <53E39D0E.5020808@maxandcarrie.com> References: <46751df7496f4e4f97fb23e10fc9f5b4@mail10.futurewins.com> <53E39D0E.5020808@maxandcarrie.com> From: Lie Ryan Date: Fri, 8 Aug 2014 02:06:14 +1000 Message-ID: Subject: Re: [gentoo-amd64] "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?) To: gentoo-amd64@lists.gentoo.org Content-Type: multipart/alternative; boundary=047d7b339c97d3eaff05000c45c1 X-Archives-Salt: cde1772d-efd6-4b1a-b603-2e34678f5281 X-Archives-Hash: 62ff4437c627ba5241b3655353f0ec66 --047d7b339c97d3eaff05000c45c1 Content-Type: text/plain; charset=UTF-8 With you having to compile thousands of stuffs if you build from stage 1, I doubt that you will be able to verify every single thing you compile and detect if something is actually doing sneaky stuff AND still have the time to enjoy your system. Also, even if you build from stage 1 and manage to verify all the source code, you still need to download a precompiled compiler which could possibly inject the malicious code into the programs it compiles, and which can also inject itself if you try to compile another compiler from source. If there is a single software that is worth a gold mine to inject with malware to gain illicit access to all Linux system, then it would be gcc. Once you infect a compiler, you're invincible. Also, did you apply the same level of scrutiny to your hardware? For the truly paranoid, I recommend unplugging. --047d7b339c97d3eaff05000c45c1 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
With you having to compile thousands of stuffs i= f you build from stage 1, I doubt that you will be able to verify every sin= gle thing you compile and detect if something is actually doing sneaky stuf= f AND still have the time to enjoy your system. Also, even if you build fro= m stage 1 and manage to verify all the source code, you still need to downl= oad a precompiled compiler which could possibly inject the malicious code i= nto the programs it compiles, and which can also inject itself if you try t= o compile another compiler from source. If there is a single software that = is worth a gold mine to inject with malware to gain illicit access to all L= inux system, then it would be gcc. Once you infect a compiler, you're i= nvincible.

Also, did you apply the same level of scrutiny to your hardware?
For the truly paranoid, I recommend unplugging.


--047d7b339c97d3eaff05000c45c1--