On Sat, Dec 08, 2018 at 11:19:43AM -0500, Hendrik Boom wrote:
On Sat, Dec 08, 2018 at 10:28:18AM -0500, Chris Tyler wrote:
On Sat, Dec 8, 2018 at 7:07 AM Pablo Rath pablo@parobalth.org wrote:
On Fri, Dec 07, 2018 at 04:52:22PM -0500, Hendrik Boom wrote:
On Fri, Dec 07, 2018 at 12:59:44PM +0100, Pablo Rath wrote:
How do you know if the source is closed? :)
Let's assume this is a real question.
Hendrik, I am sorry. I see, I have phrased my (rhetoric) question poorly. What I meant and should have written is mor like: "How can you know if a software behaves well and doesn't shoot the cat when you can't audit the source code?"
I must point out an error here: Ken Thompson proved that auditing source code (of software and the toolchain used to build it) is meaningless in his paper "Reflections on Trusting Trust". That paper/talk was released 34 years ago, and it wasn't theoretical -- it was based on malware that he'd successfully released into the wild many years before.
I remember reading that talk -- Wasn't it a Turing lecture? -- and I don't recall him saying he actually did release that malware -- he just explained what he *could* have done. But he didn't deny it either.
Or do you have firther information on this? If so I'd like to hear it.
Let me be pleased there is more than one C compiler in existence. And that it is undecidable whether an arbitrary piece of code actually compiles C, so that his malware, should it exist, is limited in scope.
This problem is one of the reasons why bootstrappable.org, GNU Mes and such things exist so it is easier to detect when object code does not correspond to source code.
Regards, Florian