> > If a hacker is on your system, he'll also manage to install > the compiler > > himself before using it. > > It's still a valid concern. If someone's going to try to > break into your system and do nefarious deeds, you should be > trying to make them work for it as much as possible.
Layered security, in general, yes. Security through obscurity, weak, no. You're forgetting that for this compiler discussion to have any weight, the attacker has ALREADY broken into the system - no try - and they are already owning your system. The compiler is the LEAST of your worries at this point. > Physical security standards recommending not leaving > toolboxes outside your backdoor so that a thief won't take > your crowbar and pry your deadbolt lock out of the door jam. > If the bastard's going to break in through the back door, at > least make him bring his own tools with him. Going back to "shooting yourself in the foot..." you don't remove the crowbar if you have to use that crowbar yourself to get in the door. Or perhaps more accurately for this stupid analogy, if you have to use that same crowbar to crack the intruder in the head when he tries to break in. The fact is, the OP thought that going through the binary release method was too impractical, AND he had removed the only other method that allowed him to apply updates to his system in a reasonable amount of time. Apply simple mathematics to this: - You get 0.001% "better security" by not having a compiler on the system. You for some reason feel safer. You cause those wily attackers to take 5 additional seconds to either transfer and unpack compXX.tgz or set up their own environment on the system anyway. - You get real security by being able to patch your system by having a compiler on the system. You feel safer because you are safer. Vulnerabilities are averted. The attackers can't exploit your system through the hole you've patched. Call it 100% better improvement. DS
