From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Mike Gerwitz Newsgroups: gmane.lisp.guile.devel Subject: Re: Verifying Toolchain Semantics Date: Sun, 5 Oct 2014 02:58:59 -0400 Message-ID: <20141005065858.GA16595@fencepost.gnu.org> References: <87mw9dfz8l.fsf@netris.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" X-Trace: ger.gmane.org 1412492365 23345 80.91.229.3 (5 Oct 2014 06:59:25 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 5 Oct 2014 06:59:25 +0000 (UTC) Cc: Mark H Weaver , Markus Kuhn , guile-devel To: Ian Grant Original-X-From: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Sun Oct 05 08:59:19 2014 Return-path: Envelope-to: guile-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Xafmo-0001vP-IJ for guile-devel@m.gmane.org; Sun, 05 Oct 2014 08:59:18 +0200 Original-Received: from localhost ([::1]:46407 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xafmo-0003Eo-2S for guile-devel@m.gmane.org; Sun, 05 Oct 2014 02:59:18 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33856) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xafmg-0003Ej-2s for guile-devel@gnu.org; Sun, 05 Oct 2014 02:59:16 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XafmZ-0007PK-SU for guile-devel@gnu.org; Sun, 05 Oct 2014 02:59:10 -0400 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:43632) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XafmZ-0007PG-PD for guile-devel@gnu.org; Sun, 05 Oct 2014 02:59:03 -0400 Original-Received: from [108.17.9.168] (port=33684 helo=fencepost.gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1XafmY-0007eG-LZ; Sun, 05 Oct 2014 02:59:02 -0400 Mail-Followup-To: Ian Grant , Mark H Weaver , Markus Kuhn , guile-devel Content-Disposition: inline In-Reply-To: X-URL: http://mikegerwitz.com User-Agent: Mutt/1.5.21 (2010-09-15) X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::e X-BeenThere: guile-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Developers list for Guile, the GNU extensibility library" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Original-Sender: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.lisp.guile.devel:17542 Archived-At: --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Oct 04, 2014 at 09:35:09PM -0400, Ian Grant wrote: > Well, if I do succeed in distributing malware, it will be a good > demonstration of what I have been arguing for months now, which is > that your "core infrastructure" is _very,_ _very_ flaky, and that far > from being "the most important developers," you are in fact just > part-time amateur hackers playing at your 'hobbies'. >=20 > What I am trying to do here is wake you people up from what will > otherwise prove to be terminal sleep. This is not a hobby, you are > combatants in a global information war, and it will cost some of you > your lives, As has been stated---your concerns are substantiated and understood, and you clearly have much experience and information to contribute, but your unnecessary and unsubstantiated insults and holier-than-thou attitude prevent meaningful discussion, especially from those who are spectating and unwilling to participate in a discussion that is consequently destined to yield little more than childish banter and silence, albeit sprinkled with bits of very interesting information and resources. The additional drama you infuse into the conversation---an example being the latter paragraph above---also works against you. There are many things that may cost us our lives, and I'm fairly certain that this does not make the top million or so for most of us. I'm killing myself sitting here typing this message.[0] From my understanding, you're allowing your body to degenerate as we speak. > I don't distribute plain text because it is too easy to alter. Once I > send one of these "essays" out I have no control over what happens to > it. So I try to make it as hard as I reasonably can for people to edit > what I have written. This argument is not valid---why is it hard to alter a PDF? In fact, PDF manipulation is a dark (and probably cancer-causing) art that's automated by countless businesses worldwide; it is a topic that eats up a significant portion of development time at my employer's office. Have you considered just distributing a GPG/PGP signature with your works, or even signing the work itself? After all, this whole discussion is about proving the unlikelihood of and preventing the modification of data. Unlike the topic of complex binaries, your works are trivially verifiable even by hand---take advantage of that. If in ASCII, verification is a simple matter of diffing, even without cryptographic assurances, provided that your original work is archived in a number of reputable places (though I'd still sign my works); however, PDFs introduce an infinite number of display modifications that can be produce a document yielding a text isomorphic to the original---just because two PDFs of your work are 99% different when binary-compared doesn't mean that the visual meaning of text it renders is not 100% the same. (To be fair: I'm fine with PDFs; it's hard to convert most TeX-heavy writings using equations into meaningful ASCII, but I still provide ASCII alternatives whenever reasonable, which is >90% of the time. Unicode is often suitable when ASCII isn't.) [0]: http://apps.washingtonpost.com/g/page/national/the-health-hazards-of-s= itting/750/ --=20 Mike Gerwitz Free Software Hacker | GNU Maintainer http://mikegerwitz.com FSF Member #5804 | GPG Key ID: 0x8EE30EAB --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJUMOwyAAoJEPIruBWO4w6rZDkP/ihmZgHy6QEHSA7LQY1c/1GQ I8aew/G78pOdEjuH1kSv6Aahbvr5UPkjWIjQMNqU1AaqhFb2TEJNDzh3XSfcVpM/ lsiECxES5ZTTMBThRvLb0/WMMT5Zq/jw2yHzmuvfvpU7Va8A5V/OinifC/Lv2PMS C8EEQrINUOPGDUHLFdkQFt8lN8HvlGgkvQ7ftxpc0VxjpcVFwbeDX2Ww+cemTo2S S+PO7RCCuszMhgm7Pu3jZX8bqfsJ03OmcytUiYTfc5LR3kF2LzXvHYJBZAmXNzsM T0DyDScI4Abh5b+KvF2UmuN7QSOCn6UBa5kFJWbsuO1o3g3Ptpm0N/dofsyri37E Cm/mQPkfPXncEYPIMi5sWa57nbyk7sO8i8+aCv+TkZhpe91X8OiE3Gh3kDZ2viAY HvDODbBQrdlVdYxxgGoOdv9471mw1IwNSzm36Je6vM+JlWcRokdWzUT5MDB7CuhX ihkXC3kL1g8khVA7jMySiV/DHmNcTKGr4sVChlzs9QQYLPu8r0KuF5gPKkOaGcfn B4x4n2hdpsHKDvEBi2t9PYOFEetyORQ+ivzJSWw7ZWqva8i23KL6jHFJiQlH7pYP I7DjxMZnfVz0l4+YyXWVLCh0G+Io6ozGqWOcCZqW92f2tKBNpgrlCuV7+50z7QBE s/V3qx6qdau1Rd//9Zgv =BlPr -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb--