--
At 03:01 PM 6/21/99 -0400, Michael Cervantes wrote:
> Most open source software is distributed in a tar file with
> just makefiles, docs, and source. You compile the object
> directly from the source code that is provided. However,
> binary packages are becoming more common as package
> management apps like Redhat's RPM become ubiquitous, and it
> is important that sys admins recognize the significance of
> this.
A RPM is usually fully recompilable on the machine in which
it is installed With most red hat packages from RedHat, it
should be possible to regenerate the binary part.
Obviously with crypto code, it might well be a good idea to
do exactly that.
RPM format also supports master and patch files, where the
master file is the official release approved by the module
developer, and the patch files are issued by the person
integrating the modules for a particular system.
This system protects against possible back doors, since the
leader who blessed the release is presumably widely trusted,
and his code widely scrutinized, and the patch code should be
small, and therefore easy to scrutinize.
Regrettably it does not support digital signatures or user
visible checksums for these two groups of files, because
these paranoid precautions are not yet part of the open
source development process, though they probably should be.
It would be nice if one day RPM manager supported a
description of source code similar to a source code control
system that says:
This portion of the code has been approved by this
person
This portion has been approved by this other person.
This patched assembly of all the various portions has
been approved by this leader as the official release
of version 5.4 of this package.
These patches to the official release have been made
to make the official release of this package work in
environment such and such by the integrator for
system such and such
And contained code to check that these approvals are genuine.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
zEiTDP7x8kdgUQ2TW9ejCBi0BcR3duFU/bOzBSeC
4PDuCsdZFV8JYR6SDgRDo7oxLN7xrqJktUE3KiOiC
