Linux Today: Linux News On Internet Time.

More on LinuxToday

KernelTrap: Linux Kernel Source Validity

Dec 04, 2002, 19:00 (0 Talkback[s])


Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers

"Richard B. Tilley asked on on the lkml, 'What is the proper way to verify the kernel source before compiling? There have been too many trojans of late in open source and free software and I, for one, am getting paranoid.' As was explained in a reply, each and every release tarball uploaded to kernel.org has been signed with GnuPG, and thus can be easily verified for validity.

"Larry McVoy carried the conversation a little further, discussing the security of the BK tree. For every diff or file that gets checked in, a checksum is generated to prove its validity. It was mentioned that this could be manually fooled, to which Larry offered, 'Oh, sure, you could, but you'd have to go edit the SCCS files by hand, which is certainly doable, but it raises the bar past most of the script kiddies who do this sort of thing.' Larry continued, 'The bottom line is that, so far, the BK tree is safe. I'll personally commit to providing strong crypto based signatures for changesets within 1 week of the date when someone sticks a trojan in a BK tree. It's not that hard, but it's also a problem that doesn't exist (yet). And we have lots of things to do, just ask any BK user...'"

Complete Story

Related Stories: