KernelTrap: Linux Kernel Source Validity

“Richard B. Tilley asked on on the lkml, ‘What is the proper way
to verify the kernel source before compiling? There have been too
many trojans of late in open source and free software and I, for
one, am getting paranoid.’ As was explained in a reply, each and
every release tarball uploaded to kernel.org has been signed with
GnuPG, and thus can be easily verified for validity.

“Larry McVoy carried the conversation a little further,
discussing the security of the BK tree. For every diff or file that
gets checked in, a checksum is generated to prove its validity. It
was mentioned that this could be manually fooled, to which Larry
offered, ‘Oh, sure, you could, but you’d have to go edit the SCCS
files by hand, which is certainly doable, but it raises the bar
past most of the script kiddies who do this sort of thing.’ Larry
continued, ‘The bottom line is that, so far, the BK tree is safe.
I’ll personally commit to providing strong crypto based signatures
for changesets within 1 week of the date when someone sticks a
trojan in a BK tree. It’s not that hard, but it’s also a problem
that doesn’t exist (yet). And we have lots of things to do, just
ask any BK user…'”

Complete
Story