Linked by Thom Holwerda on Mon 11th Jul 2011 21:29 UTC, submitted by sawboss
Multimedia, AV This is a problem I hadn't yet heard of, so it fascinates me to no end. We all know VLC, right? It's one of the best video players out there, and while I myself generally just install the K-Lite Codec Pack, VLC is definitely a good alternative - and pretty much the norm on Linux. They're having a problem, though: malicious folk are bundling VLC with malware, offering it up for download as the official VLC, and misleading users in the process. Not only does this violate the GPL - it's pretty damn low, too.
Thread beginning with comment 480427
To view parent comment, click here.
To read all comments associated with this story, please click here.
saynte
Member since:
2007-12-10


All taken care of automatically by the package managers.


Not really, see for example Debian's instructions on how to build from source:

http://www.debian.org/doc/FAQ/ch-pkg_basics.en.html#s-sourcepkgs

This isn't really something a normal user would want to get into, I think. It's certainly not performed by the package manager.

For source-based distributions this would work though, as their package managers are also essentially build systems.


Download both the source and the binary (integrity of downloads is assured via key pair encryption. Repository public keys are distributed with the LiveCD initial distribution installer). Compile the source locally. Compare the binaries using diff, cmp or md5.


Binary comparison wouldn't work unless you had the exact same development toolchain (versions of gcc, ld, etc) as whomever compiled the original. Even within a particular distribution version this may not be the case through updates and fixes to the toolchain.

Reply Parent Score: 1

talaf Member since:
2008-11-19

Yep, it would be very hard to compare binaries resulting from source compilation on different versions of toolchains, especially since alot of effort and tools are made exactly to ensure that you may compile something everywhere given some basic toolchain and the right library.

That said, I'm not a novice, and I'd trust official repositories. Bad things may happen, but that's true of any platform, the less likely the better!

PS : to the post-scriptum to the manifesto before, could you stop being a gigantic manichean ass and accept that some people do NOT bash Linux nor OSS, but may prefer paid and/or closed software? I use Windows, FreeBSD and Linux, what does that make me, multiple personality disorder or something? -_-"

Reply Parent Score: 2

lemur2 Member since:
2007-02-17

Binary comparison wouldn't work unless you had the exact same development toolchain (versions of gcc, ld, etc) as whomever compiled the original. Even within a particular distribution version this may not be the case through updates and fixes to the toolchain.


The toolchain which builds the distribution is distributed along with the distribution.

The toolchain components are also updated via the package managers just the same as any other packages are.

Savvy users who keep their systems up to date are able to build source code packages in exactly the same way as the repository maintainers do, using the exact same toolchain. Why should they NOT be able to? It is not as though there is an expensive toolcahin for anyone to buy ...

Reply Parent Score: 2

saynte Member since:
2007-12-10

I was talking about binary comparison, (like you were, and like you included in the quote from me in your post), not the ability to get the source compiled at all.

GCC 4.5.0 may produce a binary with a different arrangement of assembly instructions than GCC 4.5.1, and therefore the binaries will be different, and fail a comparison (md5 check, whatever).

Reply Parent Score: 1