From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: The fixed-point project
Date: Fri, 20 Sep 2013 23:44:29 +0200
Message-ID: <87k3ibcgn6.fsf@gnu.org>
References: <87li2sy063.fsf@gnu.org> <874n9fyyg3.fsf@tines.lan>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52883)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1VN8a2-0002br-3i
	for guix-devel@gnu.org; Fri, 20 Sep 2013 17:49:43 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1VN8Zw-00088J-Sa
	for guix-devel@gnu.org; Fri, 20 Sep 2013 17:49:37 -0400
Received: from hera.aquilenet.fr ([141.255.128.1]:45569)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
	id 1VN8Zw-00088F-MI
	for guix-devel@gnu.org; Fri, 20 Sep 2013 17:49:32 -0400
In-Reply-To: <874n9fyyg3.fsf@tines.lan> (Mark H. Weaver's message of "Fri, 20
	Sep 2013 17:29:00 -0400")
List-Id: <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org

Mark H Weaver <mhw@netris.org> skribis:

> Hi Ludovic,
>
> ludo@gnu.org (Ludovic Court=C3=A8s) writes:
>
>> However, in theory, that doesn=E2=80=99t save us from trusting-trust
>> attacks=C2=A0[1]: the bootstrap GCC could contain a trap, such that the =
trap
>> is always preserved across recompilations of GCC, even if it=E2=80=99s a=
bsent
>> From the GCC source being compiled.
>>
>> David A. Wheeler=E2=80=99s thesis [2] addresses this topic.  Roughly, it=
 shows
>> that a compiler can be tested for traps by relying on a =E2=80=9Ctrusted=
=E2=80=9D
>> compiler [3].
>
> I don't think this is an adequate summary of David's technique for
> defeating Thompson viruses.  Under his method, one needn't trust any
> single compiler.  Instead, one uses several different compilers to
> bootstrap a single compiler, and checking that the results of all of
> those bootstraps yield the same result.

Right.

> One need only trust that the first-stage compilers aren't _all_
> compromised with the same Thompson virus.  This is much more
> reasonable than expecting everyone to trust the Guix bootstrap
> tarballs.  In order to defeat this method, a Thompson virus would have
> to be sophisticated enough to hide itself in all of the compilers, and
> be able to jump from one compiler to another.

Yes, you=E2=80=99re right (I may have been fooled by the wording in
<http://www.dwheeler.com/trusting-trust/dissertation/html/wheeler-trusting-=
trust-ddc.html#4.2.Informal%20description%20of%20DDC>.)

In Guix we can use different variants of the bootstrap compiler to build
the tarballs, but in practice I suspect these would have to remain
variants of the same thing (GCC), not completely different compilers.

Ludo=E2=80=99.