Comment Compiler Vulnerability (Score 2) 255
Is Australia planning on building their own code from that source?
Because how would they know that what they were running was actually the source code they were provided?
And would Australia even be interested in jumping through that extra hoop considering that there are other vendor options available where Australia feels this isn't necessary? The price difference between Huawei and other vendors would have to be fairly sizable to warrant that.
Or, even more insidious, I've heard of the possibility to include backdoors via the compiler rather than via the source code.
http://en.wikipedia.org/wiki/Backdoor_(computing)
Quote from that article:
It is also possible to create a backdoor without modifying the source code of a program, or even modifying it after compilation. This can be done by rewriting the compiler so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compromised compiler finds such code, it compiles it as normal, but also inserts a backdoor (perhaps a password recognition routine). So, when the user provides that input, he gains access to some (likely undocumented) aspect of program operation. This attack was first outlined by Ken Thompson in his famous paper Reflections on Trusting Trust (see below).
If Huawei's code requires anything more than generic gcc, Australia may not be able to verify 100% security, regardless... unless they're given the source code to the compiler as well.
Long story short, this just seems like a huge hassle that Australia is probably going to avoid anyway.
Just my 2 cents...