Linked by Thom Holwerda on Wed 21st Sep 2011 22:06 UTC, submitted by kragil
Windows After the walled garden coming to the desktop operating system world, we're currently witnessing another potential nail in the coffin of the relatively open world of desktop and laptop computing. Microsoft has revealed [.pptx] that as part of its Windows 8 logo program, OEMs must implement UEFI secure boot. This could potentially complicate the installation of other operating systems, like Windows 7, XP, and Linux.
Thread beginning with comment 490334
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: Comment by OSbunny
by lemur2 on Thu 22nd Sep 2011 09:53 UTC in reply to "RE[2]: Comment by OSbunny"
lemur2
Member since:
2007-02-17

Actually it is possible to include something in an open source project, but you'll have to also modify the compiler and probably wait a few years to:

Thompson's paper described a modified version of the Unix C compiler that would:

Put an invisible backdoor in the Unix login command when it noticed that the login program was being compiled, and as a twist
Also add this feature undetectably to future compiler versions upon their compilation as well.

http://en.wikipedia.org/wiki/Backdoor_%28computing%29

It is not very likely, but it possible


That was only possible because the Unix C compiler itself was not open source.

I repeat, it is not possible to put malware into a product using an open source development process.

BTW, Linux is not Unix. BSD is Unix, but Linux isn't.

Edited 2011-09-22 09:54 UTC

Reply Parent Score: 2

RE[4]: Comment by OSbunny
by Lennie on Thu 22nd Sep 2011 10:02 in reply to "RE[3]: Comment by OSbunny"
Lennie Member since:
2007-09-22

You say "it is not possible" to add such a thing to an open source project.

That would be a bit naive.

It is like saying: it is not possible to be struck by lightning.

It is possible, just not very likely.

Reply Parent Score: 2

RE[5]: Comment by OSbunny
by lemur2 on Thu 22nd Sep 2011 10:09 in reply to "RE[4]: Comment by OSbunny"
lemur2 Member since:
2007-02-17

You say "it is not possible" to add such a thing to an open source project.

That would be a bit naive.

It is like saying: it is not possible to be struck by lightning.

It is possible, just not very likely.


An "open source project" typically has dozens, sometimes hundreds, of independent developers, in countries all over the world, pouring over the code.

Useful malware would take many hundreds or thousands of lines of source code.

How exactly would you propose that a malicious individual hides hundreds or thousands of lines of code in plain sight as a submission to an open source project being worked on by dozens of others?

It is just not credible that this could happen.

More to the point, in over a decade of open source software development over thousands and thousands of projects, it never has happened.

The proof, as they say, is in the pudding.

Reply Parent Score: 2

RE[4]: Comment by OSbunny
by Alfman on Thu 22nd Sep 2011 10:22 in reply to "RE[3]: Comment by OSbunny"
Alfman Member since:
2011-01-28

lemur2,

"I repeat, it is not possible to put malware into a product using an open source development process."

I really don't want to make a fuss here, but this is the kind of overstated claim that does not take into account all of the possibilities. Could you use less absolute terminology, or at least more qualifiers?

Reply Parent Score: 7

RE[5]: Comment by OSbunny
by lemur2 on Thu 22nd Sep 2011 10:30 in reply to "RE[4]: Comment by OSbunny"
lemur2 Member since:
2007-02-17

lemur2,

"I repeat, it is not possible to put malware into a product using an open source development process."

I really don't want to make a fuss here, but this is the kind of overstated claim that does not take into account all of the possibilities. Could you use less absolute terminology, or at least more qualifiers?


I absolutely think you need to come up with some way that it would be possible, or even remotely feasible, before you start having a "holier than thou" go at someone else.

The whole point of open source is that it is a collaboration, a meritocracy. Lots of solutions are proposed and tried, and the best solution, as agreed by consensus amongst the community of developers, is adopted.

You come along and make an absolutely outrageous claim that this process can be corrupted by malware, in plain sight of everyone. You make this claim despite the fact that amongst thousands of open source projects across many years, it never has happened.

Then somehow you think I am the one who should pull my head in?

Unbelievable! Unmitigated gall. Utter balderdash.

Edited 2011-09-22 10:31 UTC

Reply Parent Score: 0