Mark H Weaver <[email protected]> skribis: > Hi Ludovic, > > [email protected] (Ludovic Courtès) writes: > >> However, in theory, that doesn’t save us from trusting-trust >> attacks [1]: the bootstrap GCC could contain a trap, such that the trap >> is always preserved across recompilations of GCC, even if it’s absent >> From the GCC source being compiled. >> >> David A. Wheeler’s thesis [2] addresses this topic. Roughly, it shows >> that a compiler can be tested for traps by relying on a “trusted” >> compiler [3]. > > I don't think this is an adequate summary of David's technique for > defeating Thompson viruses. Under his method, one needn't trust any > single compiler. Instead, one uses several different compilers to > bootstrap a single compiler, and checking that the results of all of > those bootstraps yield the same result.
Right. > One need only trust that the first-stage compilers aren't _all_ > compromised with the same Thompson virus. This is much more > reasonable than expecting everyone to trust the Guix bootstrap > tarballs. In order to defeat this method, a Thompson virus would have > to be sophisticated enough to hide itself in all of the compilers, and > be able to jump from one compiler to another. Yes, you’re right (I may have been fooled by the wording in <http://www.dwheeler.com/trusting-trust/dissertation/html/wheeler-trusting-trust-ddc.html#4.2.Informal%20description%20of%20DDC>.) In Guix we can use different variants of the bootstrap compiler to build the tarballs, but in practice I suspect these would have to remain variants of the same thing (GCC), not completely different compilers. Ludo’.
