John Woodman
Tue, 8 Feb 2000 13:58:39 -0700

Has anyone ever taken the source, compiled it, and compared the result with a
compiled commercial version (say by running a checksum?)

While different results wouldn't necessarily mean back doors, it *would* make me

> > The commercial version *does not* have back doors. Ignore this FUD.
> Okay, prove it.
> If you look at the source of any good cryptography software you will
> notice that the authors undertake so many precautions and you really
> can say, they are paranoid. One example is the forthcoming Twofish
> algorithm which uses the 256 bit form of it and not the 128 bit one -
> this is really paranoid but done anyway.
> And now you say, take this compiled program, believe them that there are
> no backdoors in it and if you want, you can take the source and
> compile it your self - however there is no prove that the usually
> distributed binary version has been build from the known source code.
> So tell me the probabilities that you
> a) can break the algorithms
> b) find a hole in the implementation
> c) that someone has tampered with the product
> IMO, c has a probability which is orders of magnitude higher than b.
> Is there a trusted group of persons who did supervise the whole
> production process from the published source, over the tool chain to
> the production of the CDROM up to the distribution channels?
> I do trust Debian more than a company which got quite a lot of orders
> from governmental agencies - but okay, this is only my personal
> opinion.
> BTW, the Transmeta CPU has a very similar problem, given the huge
> amount of software it relies on.
> --
> Werner Koch at keyid 621CC013