linuxaudio.org

On Thu, 7 Mar 2013 15:14:42 +0100, Nick Copeland wrote

quoted text
> > Of course you can also always compile from source:

> > http://ardour.org/building_linux.html

>

> So if the ardour site was hacked then is there not a possibility that the source

> code has been compromised too?

Of course. It'll be as vulnerable as the compiled ardour you download from

a hacked server ;-)
> Is the code signed? 
Probably not. It might be possible to provide checksums (wich you would have to

commuincate over a secure channel ...) but in the presence of line-end conversion

et al. even that is non-trivial.
> What I am getting at is that if you install ardour using a root account but the 

quoted text
> version you are installing is maliciously compromised then your system can

> become pwned.

Yes. That's pretty obvious. Almost the same is true for non-root installs as well.

Just install a backgound process that logs all X-events (key-down ...) and you'll

be able to get root access.
Iff you protection against this kind of exploits you pretty much need to audit you

code base or use distributions that use signed packages. Trust your

distribution or

audit, those are the only options you have.
> I doubt this since if I wanted to own a few systems then I would not leave the

quoted text
> hack evident but Linux is very close to some large exploits due to the nature

> of distributed and weakly protected code.

Which distribution _doesn't_ sign it's packages? What code is weakly protected?

Even most major download/DVCS sites use secure communication channels these days

(https). The problem is the naive asumption that self-compiled code would be more

secure. Not a Linux problem, I'd say ...
 Cheers Ralf Mattes
> Regards, nick.
--

 R. Mattes -

 Hochschule fuer Musik Freiburg

 rm@inm.mh-freiburg.de
_______________________________________________

Linux-audio-user mailing list

Linux-audio-user@lists.linuxaudio.org

http://lists.linuxaudio.org/listinfo/linux-audio-user