In comp.security.misc email@example.com
> Hi folks,
> Has anybody here ever built OpenOffice from sources, or know of
> someone who has recently, who can say that doing so is possible?
> I ask because I am curious as to whether I should be trusting
> the binaries coming from Sun.
> After all, it seems that so many big US corporations are
> eager to cave in to the demands of the NSA or RIAA/MPAA.
> I have to wonder whether OO maybe has spyware in
> the binary download that is not in the source code download.
> AT&T, Comcast, etc... why would Sun be any less unethical?
One could dismiss this as paranoid trolling or ranting. However, I'll
take it as a serious question.
First of all, you're blurring the difference between software companies
and service providers. AT&T, Comcast, etc., don't provide software--they
just sell service. It's an ethically different perspective between allowing
(and maybe even aiding) the various agencies access, and explicitly creating
access in your code. It also doesn't take into account that the various
telecom/internet/infrastructure providers are government licensed, and are
somewhat more beholden to the government as a result.
Look at it another way: Are there any major hardware/software product
companies that have been shown to be illicitly collaborating with the various
three (or four) letter agencies? If not, then why would Sun be the first?
Secondly, building OO from source is absolutely no guarantee, for a long
series of reasons. First of all, building from source doesn't mean the
same thing as reading the source. If someone put a trojan in the source
code, how long would it be before someone discovered it? Days? Weeks?
Months? Years even? Hard to say, but unless YOU read every line of code,
you are farming out your trust to someone else.
Having said that, there's no reason that clean source code will actually
compile without spyware. Read this article by Ken Thompson, and you'll
realise that you're totally screwed with regards to trustable software: http://www.acm.org/classics/sep95/
OK, paranoid yet? Depressed yet? Good. Now let's consider the opposite
side of the coin.
#1: Sun isn't OpenOffice.org. The compiled OO binaries come from the OO
group, not from Sun. Sun produces StarOffice from the same code base,
and could put crap in that if they wanted, but...
#2: Why would they? What would they possibly gain by adding spyware and/or
trojans to their product? If it happened and was discovered, then they
would immediately lose all credibility in the industry.
#3: There's also the method of the purported spyware. If software reports
information back to an agency, then it will (likely) be sent over a
network and can be easily detected with a packet sniffer. If some
inappropriate information is added to a file, it can be sussed out
quite easily given that OO.org stores files in compressed XML, which
can be read by humans.
Is it possible? Absolutely--anything is possible.
Is it likely? Not in my mind. There are so many more effective and sneaky
ways to obtain information, that it just doesn't make any sense.
Mind you, if you're actually doing something that's going to get you
arrested and thrown in a cell somewhere, paranoia is never misplaced.