July 31st, 2004, 10:23 AM
It would be really, really difficult to trojan Linux in a way which makes it unsuitable for military applications while creating a deliberate "fault" that would not affect other software, and would pass all regression tests and sneak past the kernel maintainers.
It is not true that Linus reads every line of code personally. There are instead subsystem maintainers (Linus' Lieutenants) who collect patches for individual subsystems. I believe that they do generally read every line of code submitted.
There are a lot of other things which would be far easier to trojan than Linux of course - libc perhaps, or gcc - I've no idea what their policies are.
In any case, it would be fantastically difficult to create a deliberate error which would cause some predictable behaviour, when you don't know anything about the software running on it.
Bear in mind for governments outside of the US, worries about the integrity of the Windows source code prevail - the possibility that it contains US government trojans seems high to some analysists (I am not privvy to any classified information on this topic, and even if I was I obviously wouldn't be able to discuss it).
I love the way that some governments get to see the windows source code, but they aren't allowed to use it to build their own copy of windows, oh no, they still rely on binaries from Redmond. Hence they have no idea whether what they're looking at is the windows source code or not.
In any case even if Redmond hasn't got US government bugs in your Windows now, it could add them at the behest of Washington at any moment and distribute through Windows update faster than you can say "Terrorism".
I don't see how Linux can possibly be less trustworthy than Windows, to the US government, or anyone else. I can however understand if people don't want to use it for flight control software, nuclear reactor monitoring, missile guidance etc. But that would be more to do with bugs than trojan.
Anyway who's to say the US government haven't also got backdoors in WRS VxWorks? That is at least partially distributed pre-compiled.