The thing is,
configure is an excellent place to hide a malicious
grappling hook: [...]
Isn't that also a major *potential* hazard of
open-source in general
though?
Yes. But it's substantially easier to verify a program than a
configure script. For example, if any of the .o files making up vttest
were to refer to socket() - something easily checked with nm|grep - I'd
want to at least look at the code for it. That sort of verification is
substantially harder to do for a configure script.
I'd also point out that this is hardly distinctive to open source;
running closed-source binaries involves the same trust only with a
significantly lower ability to check even if you wanted to.
At least for the smaller projects with little peer
review process,
someone could relatively easily slip a piece of malicious code into
the source -
Oh, I'm much less worried about one of the overt authors. I'm more
concerned about some malicious cracker breaking into the distribution
mechanism at some point and inserting something malicious that the
legitimate code authors didn't intend. (I've already heard of it
happening at least once and I think twice.)
Speaking purely personally, this is also part of the reason I tend to
roll my own so much - though that isn't much help to other people faced
with the same dilemma.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse at rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B