Are You Sure This Is the Source Code?

← Back to Stories (view on slashdot.org)

Are You Sure This Is the Source Code?

Posted by timothy on Thursday June 20, 2013 @06:20AM from the not-as-simple-as-md5-sum dept.

oever writes "Software freedom is an interesting concept, but being able to study the source code is useless unless you are certain that the binary you are running corresponds to the alleged source code. It should be possible to recreate the exact binary from the source code. A simple analysis shows that this is very hard in practice, severely limiting the whole point of running free software."

7 of 311 comments (clear)

Min score:

Reason:

Sort:

Bogus argument by Beat+The+Odds · 2013-06-20 06:22 · Score: 5, Insightful

"Exact binaries" is not the point of having the source code.
1. Re:Bogus argument by oGMo · 2013-06-20 07:00 · Score: 5, Insightful
  
  Simply having the source code doesn't mean you have the ability to actually use the source code to make bug fixes should the need arise.
  
  And yet, it still means that you can fix it, or even rewrite it in something else, if you want. Not having the source code means this is between much-more-difficult and impossible. The lesson here should be that everything we use should be open source, including compilers and libraries, not "well in theory I might have problems, so screw that whole open source thing .. proprietary all the way!"
  
  --
  Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
touch o' hyperbole by ahree · 2013-06-20 06:27 · Score: 5, Insightful

I'd suggest that "severely limiting the whole point of running free software" might be a touch of an exaggeration. A huge touch.
Incorrect suppositions. by Microlith · 2013-06-20 06:28 · Score: 5, Insightful

A simple analysis shows that this is very hard in practice, severely limiting the whole point of running free software."
No it doesn't. The whole point of running free software is knowing that I can rebuild the binary (even if the end result isn't exactly the same) and, more importantly, freely modify it to suit my needs rather than being beholden to some vendor.
1. Re:Incorrect suppositions. by Shoten · 2013-06-20 06:48 · Score: 5, Insightful
  
  A simple analysis shows that this is very hard in practice, severely limiting the whole point of running free software."
  No it doesn't. The whole point of running free software is knowing that I can rebuild the binary (even if the end result isn't exactly the same) and, more importantly, freely modify it to suit my needs rather than being beholden to some vendor.
  There's another point too...which incidentally is the whole point of running a distro like Gentoo...that you can compile the binary exactly to your specifications, even sometimes optimizing it for your specific hardware. I don't get at all this idea he has about "reproducible builds;" if he builds the same way on the same hardware, he'll get the same binary. But what he's doing is comparing builds in distros with ones he did himself...and the odds that it's the same method used to create the binary are very low indeed.
  If he's concerned about precompiled binaries having been tampered with, he's looking at the wrong protective measure. Hashes and/or signing are what is used to protect against that...not distributing the source code alongside the compiled binary files. If you look at the source code and just assume that a precompiled binary must somehow be the same code "just because," you're an idiot.
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
Trust by bunratty · 2013-06-20 06:33 · Score: 5, Insightful

I took a graduate-level security class from Alex Halderman (of Internet voting fame) and what I came away with is that security comes down to trust. To take an example, when I walk down the street, I want to stay safe and avoid being run over by a car. If I think that the world is full of crazy drivers, the only way to be safe is to lock myself inside. If I want to function in society, I have to trust that when I walk down the sidewalk that a driver will not veer off the road and hit me.
When you order a computer, you simply trust that it doesn't have a keylogger or "secret knock" CPU code installed at the factory. It's exactly the same with software binaries, of course. In the extreme case, even examining all the source code will not help. You must trust!

--
What a fool believes, he sees, no wise man has the power to reason away.
Re:What a problem by TheRaven64 · 2013-06-20 06:52 · Score: 5, Insightful

Most of the time, even that isn't enough. C compilers tend to embed build-time information as well. For verilog, they often use a random number seed for the genetic algorithm for place-and-route. Most compilers have a flag to set a specified value for these kinds of parameter, but you have to know what they were set to for the original run.
Of course, in this case you're solving a non-problem. If you don't trust the source or the binary, then don't run the code. If you trust the source but not the binary, build your own and run that.

--
I am TheRaven on Soylent News