Linked by Eugenia Loli on Wed 23rd Jan 2008 22:07 UTC
Linux With Linux on the desktop going from a slow crawl to verging on an explosion, many have toiled with the question: How do we make this happen faster? A well-known Austin-based Linux Advocate thinks he has the answer.
Thread beginning with comment 297633
To view parent comment, click here.
To read all comments associated with this story, please click here.
WereCatf
Member since:
2006-02-15

This is not true. Back in 1984, Ken Thompson how to do so, and this specific "malware" was in fact present in Unix for many years before being discovered

That was an interesting read but I think you misunderstood the point there: in this case it's not the source which has malware, it's the compiler which compiles that in at compilation time. It's an interesting idea to inject such code into the compiler itself but not very likely, atleast if we're talking about the most popular compilers in use. It is VERY difficult to get such a patch accepted on any of the official repositories of f.ex. GCC, and if you ran an app on your own PC which tried to do that then it would need the full sources to GCC, recompile it, and then install it over the previous version meaning it would need root access.

OTOH if the actual sources to the software had such a malware in them you might not notice it. But the more devs and users the software has the bigger the likelyhood it will be discovered. Sure, the more code there is the smaller percentage of that such malware would occupy, but with lots of users and devs someone is also bound to notice any weird behaviour. And as I said above, patches submitted for an app are usually checked before they are accepted into the repos.

So, anyway, as a conclusion, in _theory_ it might be possible but in practice it isn't.

Reply Parent Score: 2

james_parker Member since:
2005-06-29

I didn't misunderstand the point, but rather wanted to highlight the fact that the statement "You cannot hide malware in open source" isn't really true. This statement is quite prevalent, and if it's not challenged with some frequency, will eventually will be accepted without question, and that would be dangerous (the Titanic wasn't sinkable either).

While it is true that "it is extremely difficult to hide malware in open source," there are several organizations (national governments) with the resources and motivation to do so, and it is worth keeping in mind, even if it has little impact on day-to-day software development or usage.

Reply Parent Score: 1