[MPlayer-dev-eng] autosh*t @ freshmeat

D Richard Felker III dalias at aerifal.cx
Sun Jun 22 12:05:17 CEST 2003


On Sun, Jun 22, 2003 at 11:37:57AM +0200, Petr Tomasek wrote:
> > (BTW, have you ever stopped to think how many trojans might be hiding
> > in various packages' autoconf-generated configure scripts, since no
> > one ever actually reads the output? Imagine if the developer in charge
> > of releases got rooted and some trojan code was installed in their
> > system-wide ac m4 macros... Natually a handwritten configure script
> > does not have this problem since every change is visible as it's
> > committed to CVS.)
> 
> If you compromise the compiler, you even don't need Makefile to
> promote the trojan ;-)

Um, no. We're talking about source release, not binary packages.
People don't put binaries generated by a compiler in cvs repositories
or tarballs (at least hopefully not...) but they DO put configure
scripts generated by autoconf there.

Rich



More information about the MPlayer-dev-eng mailing list