tech-pkg: Re: are the binaries safe?

Subject: Re: are the binaries safe?
To: C?sar Catri?n <cesar_catrian@yahoo.com>
From: David Maxwell <david@crlf.net>
List: tech-pkg
Date: 05/13/2003 01:03:31
On Mon, May 12, 2003 at 08:37:37PM -0500, C?sar Catri?n wrote:
> hi folks.
> 
> I would like to know how much 'safe' and 'secure' are
> the binaries packages (.tgz) to be used in a
> production environment. I would like to know points of
> view about the binaries generated by netbsd.org, and
> external binaries like www/phoenix-bin and
> lang/sun-jdk14 for example.

The servers that do the building have never had any breakins. Of course,
you're also trusting the developer who comitted/updated the package, and
the extent to which they verified the code...

> I have talked with some friends about it. All said
> that they don't want binaries in their netbsd systems,
> but I told them that if they don't see the code, the
> compile process would be just a lost of time.

You're both right, a bit. One advantage of building from source, even if
you haven't inspected it, is that you _do have it_ if you see some odd
behaviour, or learn about a trojan in some 3rd party source
distribution. You can always look after the fact. If you install from
binaries, it's not an option.

> If the
> compiler would be able to detect some common
> vulnerabilities (some shellcode, some programmed and
> unrelated connection), chosing source should be the
> right choice. But it is another history.

That's essentially unsolvable. There are too many ways to write
shellcode to detect them automatically in arbitary source code.

> I trust binaries made on netbsd.org, and binaries made
> from open source orgs, in that order. A binary system
> made entirely by binaries should be easy to mantain. I
> don't trust closed source binaries, but it is personal
> opinion.

Hopefully open source projects (including NetBSD) will move towards
providing signatures of their distributions so that you can at least
decide whether to trust an individual (or project) and his
key-management policies, rather than every middleman that redistributes
a .tgz.

-- 
David Maxwell, david@vex.net|david@maxwell.net --> Mastery of UNIX, like
mastery of language, offers real freedom. The price of freedom is always dear,
but there's no substitute. Personally, I'd rather pay for my freedom than live
in a bitmapped, pop-up-happy dungeon like NT. - Thomas Scoville