On Tue, 2 May 2006, josh wrote: > Hello... > > Some people seem to think that installing a compiler inherently makes > their system less secure... despite never being able to cite any actual > reasons why. > > Personally, I really dont see how a compiler is going to lessen > security, particuarly when they are used to patch the system, But I was > wondering what people here thought?
It does not matter to have a compiler or not. If a system is compromised, the attacker can bring or create the tools he needs. It's a common misconception that seems hard to fight. Maybe people are just misinterpreting Ken Thompson's "Reflections on Trusting Trust" <http://cm.bell-labs.com/who/ken/trust.html>. The scenario he describes applies to development systems and systems to build the releases as well as production system. But more likely the people who say "compilers ar dangerous!" are just repeating what they hear, without researching what others have said about the subject doing some thinking themselves. -Otto
