[Discuss] Good and Bad Crypto

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: Derek Martin [mailto:invalid at pizzashack.org]
> 
> On Tue, Apr 22, 2014 at 06:37:51PM +0000, Edward Ned Harvey (blu) wrote:
> > Supposing a bad guy writes software, open source, and makes it
> > available for download in source form as well as precompiled binary,
> > where he's compiled some trojan into the binary.
> 
> Yes, this can happen.  And only if the source is available to you, do
> you have ANY opportunity to verify it or rule it out.  If there is no
> source, there is no possible way for you to know.

Even with the source available, you *still* don't have any way to rule out a trojan binary, because even if you build it yourself, you're very unlikely to get the same exact binary that the distributor distributes.

So if you don't trust the statements made by a software distributor, whether they be "This binary is compiled from the following sources," or "This compiled binary behaves according to the following spec," then literally the only thing you can do is to *both* read and understand all the source for everything you will use, *and* build it yourself.

Don't want to read and build everything yourself?  You're going to use a binary somebody else gave you?  Then you must believe they didn't compile a trojan into it, either because they claim it was built from the open source they've published, or because they claim it behaves according to a spec they've published.