[Arm-netbook] Questioning The Holy War

Chris Tyler chris at tylers.info
Sat Dec 8 19:33:26 GMT 2018


On Sat, Dec 8, 2018 at 11:20 AM Hendrik Boom <hendrik at topoi.pooq.com> wrote:

> On Sat, Dec 08, 2018 at 10:28:18AM -0500, Chris Tyler wrote:
> > On Sat, Dec 8, 2018 at 7:07 AM Pablo Rath <pablo at parobalth.org> wrote:
> >
> > > On Fri, Dec 07, 2018 at 04:52:22PM -0500, Hendrik Boom wrote:
> > > > On Fri, Dec 07, 2018 at 12:59:44PM +0100, Pablo Rath wrote:
> > > > >
> > > > > How do you know if the source is closed? :)
> > > >
> > > > Let's assume this is a real question.
> > >
> > > Hendrik, I am sorry. I see, I have phrased my (rhetoric) question
> > > poorly. What I meant and should have written is mor like: "How can you
> > > know if a
> > > software behaves well and doesn't shoot the cat when you can't audit
> the
> > > source code?"
> > >
> >
> > I must point out an error here: Ken Thompson proved that auditing source
> > code (of software and the toolchain used to build it) is meaningless in
> his
> > paper "Reflections on Trusting Trust". That paper/talk was released 34
> > years ago, and it wasn't theoretical -- it was based on malware that he'd
> > successfully released into the wild many years before.
>
> I remember reading that talk -- Wasn't it a Turing lecture? -- and I don't
> recall him saying he actually did release that malware -- he just
> explained
> what he *could* have done.  But he didn't deny it either.
>

>From text of the talk: "The actual bug that I planted in the compiler..."
and discussion at the time indicated that this... feature... had been
present for years. I think it was safe for him to mention in '84 because
many (though not all) were migrating off the original toolchain by that
point.

-Chris


More information about the arm-netbook mailing list