On Tue, 27 Mar 2012, David Ehle <e...@phys.iit.edu> wrote: > Isn't having compilers/build tools considered a security "no no" if > possible to avoid?
There have been some attacks on systems which have relied on the presence of various compilers and interpreters, the best known example is the Morris Worm. But there are few of them that couldn't have been written to talk to a server which has binaries for all common platforms and download the code that matches. Nowadays there are far fewer platforms than there used to be so any hostile party who develops an exploit for Linux will probably just concentrate on i386 and AMD64 with a somewhat recent GLIBC. Also there's the issue of how a system is exploited. If an exploit relies on a bug that is specific to a particular architecture of a particular OS then there would be no benefit in the attacker sending source code as they know exactly the binary that they need to send. Finally there's a lot that can be done with Perl, Python, and shell scripts and a modern Debian system is not very usable without all three of those. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201203271914.29174.russ...@coker.com.au
