Vi invito a rileggere la prolusione di Ken Thompson (creatore di Unix e C), al Turing Award 1998 (https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrusti... <https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrusti...>) in cui spiega che non basta disporre de codice sorgente di un SW per essere sicuri che non includa malware, ma bisogna controllare tutta la catena verticale, dall’HW ai compilatori. Il caso SolarWinds rientra in questa casistica. — Beppe
On 22 Dec 2020, at 12:47, Giovanni Biscuolo <giovanni@biscuolo.net> wrote:
Per dirla con il ricercatore David A. Wheeler: [4]
The long-term goal should be that “we can ensure that all OSS compiled code is accurately represented by its source code”. The source code may include malicious statements, but source code is what developers review, so we’ve fundamentally changed the game to ensure that “what is reviewed is what is run”.