Hi Ludovic,
[email protected] (Ludovic Courtès) writes:
> However, in theory, that doesn’t save us from trusting-trust
> attacks [1]: the bootstrap GCC could contain a trap, such that the trap
> is always preserved across recompilations of GCC, even if it’s absent
> From the GCC source being compiled.
>
> David A. Wheeler’s thesis [2] addresses this topic. Roughly, it shows
> that a compiler can be tested for traps by relying on a “trusted”
> compiler [3].
I don't think this is an adequate summary of David's technique for
defeating Thompson viruses. Under his method, one needn't trust any
single compiler. Instead, one uses several different compilers to
bootstrap a single compiler, and checking that the results of all of
those bootstraps yield the same result. One need only trust that the
first-stage compilers aren't _all_ compromised with the same Thompson
virus. This is much more reasonable than expecting everyone to trust
the Guix bootstrap tarballs. In order to defeat this method, a Thompson
virus would have to be sophisticated enough to hide itself in all of the
compilers, and be able to jump from one compiler to another.
Regards,
Mark
