From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: The fixed-point project Date: Fri, 20 Sep 2013 23:44:29 +0200 Message-ID: <87k3ibcgn6.fsf@gnu.org> References: <87li2sy063.fsf@gnu.org> <874n9fyyg3.fsf@tines.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:52883) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VN8a2-0002br-3i for guix-devel@gnu.org; Fri, 20 Sep 2013 17:49:43 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VN8Zw-00088J-Sa for guix-devel@gnu.org; Fri, 20 Sep 2013 17:49:37 -0400 Received: from hera.aquilenet.fr ([141.255.128.1]:45569) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VN8Zw-00088F-MI for guix-devel@gnu.org; Fri, 20 Sep 2013 17:49:32 -0400 In-Reply-To: <874n9fyyg3.fsf@tines.lan> (Mark H. Weaver's message of "Fri, 20 Sep 2013 17:29:00 -0400") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Mark H Weaver Cc: guix-devel@gnu.org Mark H Weaver skribis: > Hi Ludovic, > > ludo@gnu.org (Ludovic Court=C3=A8s) writes: > >> However, in theory, that doesn=E2=80=99t save us from trusting-trust >> attacks=C2=A0[1]: the bootstrap GCC could contain a trap, such that the = trap >> is always preserved across recompilations of GCC, even if it=E2=80=99s a= bsent >> From the GCC source being compiled. >> >> David A. Wheeler=E2=80=99s thesis [2] addresses this topic. Roughly, it= shows >> that a compiler can be tested for traps by relying on a =E2=80=9Ctrusted= =E2=80=9D >> compiler [3]. > > I don't think this is an adequate summary of David's technique for > defeating Thompson viruses. Under his method, one needn't trust any > single compiler. Instead, one uses several different compilers to > bootstrap a single compiler, and checking that the results of all of > those bootstraps yield the same result. Right. > One need only trust that the first-stage compilers aren't _all_ > compromised with the same Thompson virus. This is much more > reasonable than expecting everyone to trust the Guix bootstrap > tarballs. In order to defeat this method, a Thompson virus would have > to be sophisticated enough to hide itself in all of the compilers, and > be able to jump from one compiler to another. Yes, you=E2=80=99re right (I may have been fooled by the wording in .) In Guix we can use different variants of the bootstrap compiler to build the tarballs, but in practice I suspect these would have to remain variants of the same thing (GCC), not completely different compilers. Ludo=E2=80=99.