PGP source code
Adrian Midgley
Adrian Midgley" <akm at 92tr.freeserve.co.uk
Mon, 3 Sep 2001 14:17:09 +0100
From: Ben Laurie <ben@algroup.co.uk>
>> > > Actually, the main reason I would want to compile it would be
to verify
>> > > that the result was the same binary as I had already obtainrd
(legally)
>> > > from NAI. (How easy is it to do that check in practice?)
>> >
>> > In my experience, impossible - the problem being that parts of
the
>> > binary (padding, typically) tend to be from uninitialised data.
Whereas the source code is relatively easy to sign, either a piece at
a time, or en masse or rolled up into a hash tree, so the sensible
thing to do is to sign the source code, and then compile from that
source on a machine you know.
So the "problem" of some Linux/Unix distributions needing to compile
the programs that one installs on them is not actually a problem, at
least from that single POV.
I am continually pleased to find that the longer one looks at Unix the
more instances one finds where the way that things "just happen" to be
done turns out to be the right way to do them.