somewhat OT: configure and mterm was Re: Vintage terminals
Jules Richardson
julesrichardsonuk at yahoo.co.uk
Fri Mar 9 09:52:26 CST 2007
der Mouse wrote:
> The thing is, configure is an excellent place to hide a malicious
> grappling hook: it is frequently run by naïve installers, not
> uncommonly as root; by the nature of what it does, it is hard to
> sandbox (for example, it *must* be able to compile and run new
> programs); it is large and comparatively difficult to read over for
> human verification.
Isn't that also a major *potential* hazard of open-source in general though?
At least for the smaller projects with little peer review process, someone
could relatively easily slip a piece of malicious code into the source - sure
it'd get spotted and fixed pretty quickly, but it could still happen just as
easily (or not) as it could with a configure script.
It's a question I've asked myself before of OSS: how do I *know* it's going to
do what it says it's going to do? Unfortunately the answer seems to be that I
don't - but thankfully in my experience OSS contributors are a self-policing
lot, so in reality it doesn't happen.
i.e. if I download some code from your website, I either have to look through
it all and understand it, or I have to simply trust that your code does
exactly what you say it'll do - regardless of what procedure's used to build
it on my system.
cheers
Jules
More information about the cctalk
mailing list