On Thu, 14 Jun 2007, Michael Poole wrote:
>
> If the signature is one that serves to indicate origin, to detect
> tampering, or the other things you mentioned, the program's binary is
> useful when separated from the signature. My objection arises when a
> functionally equivalent binary -- including advertised functions such
> as "runs on platform XYZ" -- cannot be produced from the distributed
> source code.
Ahh.
Ok, that's a totally different issue, and is one where I heartily agree
with you. I would actually *love* for the GPL (any version) to have a
"guarantee of authenticity", where if you distribute a binary, there has
to be some documented way to get *exactly* that binary out of the source
code that got distributed.
Of course, SHA1's can be used to verify that, although, quite frankly, I'd
expect that a simple "cmp" would be the more straightforward approach.
So the "verification" can be used both to lock down a particular binary
_and_ to authenticate that the binary really came from the source code it
was claimed to come from.
Of course, in practice, it's actually really nasty to do that
verification. Many compilers actually do things like insert date-stamps in
the object files etc. So it's probably not all that practical.
Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
