This is the mail archive of the
mailing list for the Cygwin project.
Re: Unable to compile cygwin
- From: "Bill C. Riemers" <cygwin at docbill dot net>
- To: "Gabriel SOUBIES" <gabriel dot soubies at thales-is dot com>, <cygwin at cygwin dot com>
- Date: Tue, 23 Dec 2003 12:00:43 -0500
- Subject: Re: Unable to compile cygwin
- References: <BCELLMLNMKLBEEMIBLGDCEPCCHAA.email@example.com>
Ahh. The old chicken and egg problem.
Normally the way to resolve this issue is to use a cross compiler. However,
even then you still have to start off with a binary application, just on
another platform. For example, you could use gcc running under Linux. But
how do you verify the Linux distribution is free from problems? Well, you
can use a cross compiler to do that as well. And so on, iteratively, until
eventually you start off with something you trust...
However, most people would not bootstrap all the way back to something they
already have installed. Instead they look for something with a certifying
authority and trust that. I believe RedHat did at one time produce
certified versions of Cygwin. If so, you can beg, borrow, or steal a copy
of that (since RedHat no longer sells the CD's), and bootstrap yourself
forward to the latest version of Cygwin. Or instead you can install a
certified OS and cross compile from that enough to bootstrap the latest
version of Cygwin.
In the end, however, I guarantee regardless of what procedure you use, your
company won't review every line of source, so you are really no more secure
than just downloading a copy...
----- Original Message -----
From: "Gabriel SOUBIES" <firstname.lastname@example.org>
Sent: Tuesday, December 23, 2003 5:57 AM
Subject: RE: Unable to compile cygwin
> I am still not able to build Cygwin from the latest CVS sources...
> But anyway, that's only a part of the problem. My boss wants to be sure
> there is no malicious code in the Cygwin distribution I use.
> So he's telling me to rebuild it from scratch from the CVS sources.
> His logic is that since we can look into the sources and check that there
> no malicious code in it, if we build a version from these sources, we can
> assume they contain no trojan or whatever.
> But if I understood correctly, I must use Cygwin to rebuild the sources.
> When I told him that, he went all mad and told me that he could not trust
> version of Cygwin to rebuild these sources, since it could 'insert'
> malicious code without us knowing it even though the sources are perfectly
> So my question is: Is it possible to rebuild Cygwin without Cygwin?
> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
> Problem reports: http://cygwin.com/problems.html
> Documentation: http://cygwin.com/docs.html
> FAQ: http://cygwin.com/faq/
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html