Re: Left off the ballot?

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Thu Apr 15 2004 - 11:43:05 CDT

On Apr 15, 2004, at 12:04 PM, Alan Dechert wrote:
> Couldn't we also hide much of this code in special DLLs we substituted
> for
> DLLs that came with the OS? Do examiners look at how OS DLLs get used?

In principle, examiners certainly SHOULD look at dynamic libraries. In
practice, they probably don't. And if the system is built on a
proprietary OS (Windows), they CANNOT meaningfully check these.

If we use Free Software, we benefit a lot from other people's work.
Certainly, we (or certifying agencies) can read the library source
code, and compile afresh. But many or most Free Software libraries are
also available in binary form, accompanied by signatures/hash-sums to
verify their accuracy.

For example, the Debian Group might release a binary copy of libpng.so
that comes with a published MD5 (and the MD5 signed by the Debian
Group's RSA public key). Publishing this hash is a statement that,
roughly, "We have examined the source code, found no known (critical)
bugs, and this binary is compiled from the very source we checked."
All of this is only as good as our trust of Debian--but that's pretty
good, especially once you understand the social structure of that
project. And if you don't like Debian, get Suse's signed binary (most
likely, the two won't be byte-wise identical though, since slightly
different compiler versions and switches will be used between the two).

Yours, David...
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Fri Apr 30 23:17:06 2004

This archive was generated by hypermail 2.1.8 : Fri Apr 30 2004 - 23:17:29 CDT