Gentoo Archives: gentoo-amd64

From: Mark Knecht <markknecht@×××××.com>
To: Gentoo AMD64 <gentoo-amd64@l.g.o>
Subject: [gentoo-amd64] "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)
Date: Mon, 04 Aug 2014 22:04:16
Message-Id: CAK2H+ecr0cvFdY=mEsMKok6QyM6By0WS4GB1eQZACcnfmGXL-Q@mail.gmail.com
1 As the line in that favorite song goes "Paranoia strikes deep"...
2
3 <NOTE>
4 I am NOT trying to start ANY political discussion here. I hope no one will
5 go too far down that path, at least here on this list. There are better
6 places to do that.
7
8 I am also NOT suggesting anything like what I ask next has happened, either
9 here or elsewhere. It's just a question.
10
11 Thanks in advance.
12 </NOTE>
13
14 I'm currently reading a new book by Glen Greenwald called "No Place To
15 Hide" which is about Greenwald's introduction to Edward Snowden and the
16 release of all of the confidential NSA documents Snowden acquired. This got
17 me wondering about Gentoo, or even just Linux in general. If the underlying
18 issue in all of that Snowden stuff is that the NSA has the ability to
19 intercept and hack into whatever they please, then how do I know that the
20 source code I build on my Gentoo machines hasn't been modified by someone
21 to provide access to my machine, networks, etc.?
22
23 Essentially, what is the security model for all this source code and how do
24 I verify that it hasn't been tampered with in some manner?
25
26 1) That the code I build is exactly as written and accepted by the OS
27 community?
28
29 2) That the compilers and interpreters don't do anything except build the
30 code?
31
32 There's certainly lots of other issues about security, like protecting
33 passwords, protecting physical access to the network and machines, root
34 kits and the like, etc., but assuming none of that is in question (I don't
35 have any reason to think the NSA has been in my home!) ;-) I'm looking for
36 info on how the code is protected from the time it's signed off until it's
37 built and running here.
38
39 If someone knows of a good web site to read on this subject let me know.
40 I've gone through my Linux life more or less like most everyone went
41 through life 20 years ago, but paranoia strikes deep.
42
43 Thanks in advance,
44 Mark

Replies