On Sat, Dec 08, 2018 at 10:28:18AM -0500, Chris Tyler wrote:
On Sat, Dec 8, 2018 at 7:07 AM Pablo Rath pablo@parobalth.org wrote:
On Fri, Dec 07, 2018 at 04:52:22PM -0500, Hendrik Boom wrote:
On Fri, Dec 07, 2018 at 12:59:44PM +0100, Pablo Rath wrote:
How do you know if the source is closed? :)
Let's assume this is a real question.
Hendrik, I am sorry. I see, I have phrased my (rhetoric) question poorly. What I meant and should have written is mor like: "How can you know if a software behaves well and doesn't shoot the cat when you can't audit the source code?"
I must point out an error here: Ken Thompson proved that auditing source code (of software and the toolchain used to build it) is meaningless in his paper "Reflections on Trusting Trust".
Chris, I have to admit that I find your reply a bit unfair as we were not (yet) discussing such sophisticated details. Especially as the initial question was more in the direction of a comparison of proprietary, open source (with blobs) and completely libre systems and why everyone on this list is so focussed on "libre".
I did some reading on the "trusting trust" topic and want to share what I found: I have never heard of that paper before so I had to look that up. A blogpost by Bruce Schneier led me to David A. Wheeler's 2009 PhD dissertation "Fully Countering Trusting Trust through Diverse Double-Compiling". The dissertation and a lot of additional information can be found at [1]. The dissertation explains how to fully counter the "trusting trust" attack by using the “Diverse Double-Compiling” (DDC) technique. "DDC, in contrast, uses additional compilers as a check on the first. This fundamentally changes things, because now an attacker must simultaneously subvert both the original compiler, and all of the compilers used in DDC. Subverting multiple compilers is much harder than subverting one, especially since the defender can choose which compilers to use in DDC and can choose the compilers used in DDC after the attack has been performed." ([1], section "DDC’s use of trusted compiler(s) fundamentally increases trustworthiness")
I also recommend the section "Reproducible (deterministic) builds" in [1]: "Deterministic builds aren’t enough if the compiler executable is subverted, but thankfully, DDC enables multi-party verification of compiler executables (you still have to check the source, but that is a much easier problem)."
So according to David A. Wheeler the "trusting trust" attack can be fully countered and we are back in a state where auditing source is not meaningless.
Source: [1] https://dwheeler.com/trusting-trust/
(That said, I still prefer to be able to read the source -- just saying we shouldn't attribute disproven benefits to source reading!).
There are many attack vectors that make checking the source look ridiculous (compromised hardware, evil maid attack, ...). We can also question if the auditing process is working well enough but I think thats is not the point of this thread as it doesn't help to answer the initial questions.
kind regards Pablo