On Sat, Dec 8, 2018 at 11:20 AM Hendrik Boom <[email protected]> wrote:
> On Sat, Dec 08, 2018 at 10:28:18AM -0500, Chris Tyler wrote: > > On Sat, Dec 8, 2018 at 7:07 AM Pablo Rath <[email protected]> wrote: > > > > > On Fri, Dec 07, 2018 at 04:52:22PM -0500, Hendrik Boom wrote: > > > > On Fri, Dec 07, 2018 at 12:59:44PM +0100, Pablo Rath wrote: > > > > > > > > > > How do you know if the source is closed? :) > > > > > > > > Let's assume this is a real question. > > > > > > Hendrik, I am sorry. I see, I have phrased my (rhetoric) question > > > poorly. What I meant and should have written is mor like: "How can you > > > know if a > > > software behaves well and doesn't shoot the cat when you can't audit > the > > > source code?" > > > > > > > I must point out an error here: Ken Thompson proved that auditing source > > code (of software and the toolchain used to build it) is meaningless in > his > > paper "Reflections on Trusting Trust". That paper/talk was released 34 > > years ago, and it wasn't theoretical -- it was based on malware that he'd > > successfully released into the wild many years before. > > I remember reading that talk -- Wasn't it a Turing lecture? -- and I don't > recall him saying he actually did release that malware -- he just > explained > what he *could* have done. But he didn't deny it either. > From text of the talk: "The actual bug that I planted in the compiler..." and discussion at the time indicated that this... feature... had been present for years. I think it was safe for him to mention in '84 because many (though not all) were migrating off the original toolchain by that point. -Chris _______________________________________________ arm-netbook mailing list [email protected] http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to [email protected]
