Am 14. Jul, 2003 schw=E4tzte Ernest Baca so:
> I can see your point if the Author said that the source was there but it
> really isn't. Yes it is offered under the GPL as mine. GPL states that =
the
> source is available. It is available from Debian or from the download si=
te.
> If I put the sources to all my tools on the CD there wouldn't be room. =
If
> I am not mistaken KNOPPIX has no source available on the CD, but it is
> available. Also, just because you put source on the CD doesn't mean that=
it
> is the same source that you used to compile the tool. I can compile a to=
ol,
> put a trojan and then put the original sources on the CD and say it's the
> source I used to compile the tool. So you have the sources big deal, in
> reality they are the wrong ones. Just because someone says here are the
> sources doesn't always lend more crediability to a product unless you tes=
t
> it against the compiled version which would be the same as downloading it
> from the internet and testing the source against the compiled version.
I agree those are all issues to be watched. The doc on the CD, though,
indicates he couldn't get the source code for some of the tools he included=
=2E
That fails the very first test for trustworthy security tools, IMHO.
> So just because KNOPPIX doesn't have the Kernel Source on the CD don't tr=
ust
> it?
I'm not saying the source has to be on the CD. In fact, I already said it
was great that knoppix-std was coming with source code. That's actually
really cool for the security tools as you can compile them locally. Not
certain if that's helpful, but I know people who will insist it's mandatory=
=2E
> The reason, I bring this up is that sometimes, because of the open source
> attidtude we say if it ain't got source then it isn't trusted. Well gues=
s
> what, people trust Microsoft everyday. Opensource means that the source =
is
Yes and Outlook has had more holes than any swiss cheese I've ever seen :).
> available to test against the compiled version. Available doesn't mean o=
n
> the CD.
Agreed.
> Now I am not very familiar with KNOPPIX-STD. I do have a copy but haven'=
t
> tested it. Now if there are tools where you can't find the source or no
> link to the source then I would say thats another story.
That's what his welcome page indicates.
> What I did was to provide links to the additional tools I installed on my
> Distro. Also, alot depends on the credability of the Author. Is the Aut=
hor
> of KNOPPIX-STD trustworthy enough to trust? These are things that need t=
o
> be addressed also. If the Author is a known hacker or criminal then I
> wouldn't trust it. If he is well respected in the infosec comunity then =
I
> trust he didn't do anything to the sources. That doesn't mean that I
> wouldn't test it. I am a law enforcement officer who has to testify in
> court. I have to meet a higher standard compared to private industry. T=
he
> way I acomplish this is by building proficiency with tools and at least
> testing them.
He claims to be a network security dude, but his credibility is rocked when
I read that he couldn't get the sources for all of the tools he included,
IMHO.
> I don't want to argue with you, just point out that sometimes to much
> importance is placed on sources and not enough on testing.
I agree with you that testing does not get the effort it needs. I also agre=
e
that having the sources isn't enough.
ciao,
der.hans
--=20
# https://www.LuftHans.com/ http://www.AZOTO.org/
# "Science is like sex: sometimes something useful comes out, but
# that is not the reason we are doing it." -- Richard Feynman
(text/plain)