Re: Voting System Standards

From: Douglas W_dot_ Jones <jones_at_cs_dot_uiowa_dot_edu>
Date: Fri Aug 01 2003 - 14:34:23 CDT

> On Sunday 27 July 2003 02:10 pm, Alan Dechert wrote:
>
> We can do better than that in Linux. It will be easy to set up an
> install that puts in a cut-down Linux kernel, the boot routines,
> our app, and just the libraries and services used by the app.
> This is standard procedure for any embedded Linux.

Note, however that a commercial distribution of Linux, say
one of the Red Hat versions, for the sake of argument, is
only "unmodified commercial off-the-shelf third party software"
(unmodified COTS software) under the standards if you make
an "out of the box" install. Only in that case is the OS
exempt from examination.

Once you make a custom install, the source code examiners
can, under the current standard, demand to examine the entire
OS you've installed. Because it's Linux, they can do this
easily.

Under a sensible standard, the pruning of the commercial
distribution to make the embedded version you want should
be done using a script, not using interactive hunt and
peck through the directory tree, and not using interactive
build tools. You can, of course, use those methods to learn
what to put in your script, but once all the experiments are
done, you run the script on a clean system to do the actual
official build. This script should then be treated as
custom software and be subject to audit, while the commercial
off-the-shelf components it's building are subject to a lower
level of inspection (typically, merely verification that they
are the commercial product you've claimed, taken directly from
the commercial distribution media and not through some doctoring
process hidden from audit).

                                Doug Jones
                                jones@cs.uiowa.edu
Received on Fri, 1 Aug 2003 14:34:23 -0500

This archive was generated by hypermail 2.1.8 : Wed Aug 06 2003 - 12:50:26 CDT