From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: Re: The fixed-point project
Date: Fri, 20 Sep 2013 17:29:00 -0400
Message-ID: <874n9fyyg3.fsf@tines.lan>
References: <87li2sy063.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49994)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1VN8Gj-00083E-Qj
	for guix-devel@gnu.org; Fri, 20 Sep 2013 17:29:47 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1VN8Gd-0002y1-Vy
	for guix-devel@gnu.org; Fri, 20 Sep 2013 17:29:41 -0400
In-Reply-To: <87li2sy063.fsf@gnu.org> ("Ludovic
	\=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
	\=\?utf-8\?Q\?s\?\= message of "Thu, 19 Sep 2013 23:24:52 +0200")
List-Id: <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org

Hi Ludovic,

ludo@gnu.org (Ludovic Court=C3=A8s) writes:

> However, in theory, that doesn=E2=80=99t save us from trusting-trust
> attacks=C2=A0[1]: the bootstrap GCC could contain a trap, such that the t=
rap
> is always preserved across recompilations of GCC, even if it=E2=80=99s ab=
sent
> From the GCC source being compiled.
>
> David A. Wheeler=E2=80=99s thesis [2] addresses this topic.  Roughly, it =
shows
> that a compiler can be tested for traps by relying on a =E2=80=9Ctrusted=
=E2=80=9D
> compiler [3].

I don't think this is an adequate summary of David's technique for
defeating Thompson viruses.  Under his method, one needn't trust any
single compiler.  Instead, one uses several different compilers to
bootstrap a single compiler, and checking that the results of all of
those bootstraps yield the same result.  One need only trust that the
first-stage compilers aren't _all_ compromised with the same Thompson
virus.  This is much more reasonable than expecting everyone to trust
the Guix bootstrap tarballs.  In order to defeat this method, a Thompson
virus would have to be sophisticated enough to hide itself in all of the
compilers, and be able to jump from one compiler to another.

    Regards,
      Mark