On Wed, Sep 3, 2014 at 10:21 PM, William ML Leslie
> I'm not too sure how different distributions are bootstrapping
> GCC, but I presume most all of them have been using the
> previous version of GCC to do so for a very long time.
> My recollection of the early nineties is not great, but
> I don't recall GNU being at sufficient Ghandicon that
> it would have seemed worthwhile attempting it.
Linux was more of a threat to the commercial Unix vendors that to Microsoft. The Unix vendors must have lost billions to Linux. I don't know if they were really evil enough to to do anything like this though. I have the feeling that most of them have more respect for good engineering than they have for money. And I don't know about what sort of a threat people saw in GNU, but the point of compromising a C compiler is to get access to the systems which use it. There are all sorts of reasons why people might want access to OpenBSD systems which are used where good security is needed, by an SSL certificate authority, say. I have a sample population of one! I installed an OpenBSD machine as a firewall for a venture capital company once.
> Besides, there are easier ways to get that kind of control of a
> system, such as with SMM or hardware - even hardware like
> graphics cards and USB sticks, if you understand how the
> system will behave when presented with out-of-spec signals.
If your aim is access to just one system, maybe, but physical security of one machine is much easier to effect than virtual security of a system that is connected to a wide area network. And if your aim is hacienda-style mass surveillance, or opportunistic mass hacking or whatever those turkeys do, or if it is to co-opt the storage, computation and communications resources of 5 million networked machines, then going around them one by one with a dodgy USB stick is not going to seem like a practical proposition for very long. But if you could make a concerted attempt to hit one single point of failure and thereby get into 10 million systems, each with a half-decent multi-user OS installed, then it is probably worth taking the trouble to do it right.
I wasn't so focused on the insecurity aspect when I sent this out out a couple of weeks ago. I am much more interested in the positive things we could do. Below is the mail I first sent out on 21 Aug. Richard was the only one who replied. He said it was an interesting idea for research.
But I don't think we need to do any more research. It's all been done for us. We just need to read and understand it, and the best way to do that is to get on with implementing it.
> > Focussing on free source code is pointless, we need to focus on free
> > semantics.
> I don't see how this (any of the paragraph) followed from the above.
> If compilers used for bootstrapping have incorporated the Richie
> crack, how are patents going to make your system secure?
Why does Ritchie get the blame for this? There''s a gap in my education.
I don't think patents help at all, I am just trying to explain why I don't think that the FSF should be expected to immediately embrace this idea whole-heartedly. This is because he solution is to publish semantics from which _anyone_ can generate working source code in any language. But then whether source is open or closed, free or otherwise, is irrelevant. But.this is the _only_ way to establish the semantic fixed-point by which you can actually know that the system is very probably doing what you expect with your input. This is because there is no conceivable way to make a system identify some source-code as having a particular intension, such as compiling a C program, if that source code can be arbitrarily "complexified" by multiple re-interpretation in different languages. There is no particular concrete representation of the semantics anymore: it's all a question of actual human knowledge, and that is inaccessible to symbolic computation.
Now Richard claims that GCC, say, achieves this, because the concrete representation keeps changing. But it doesn't change nearly enough. It is always still the same basic structure: because it's simply too time-consuming to do major source-code restructuring every release. But that is what you have to do if you want to escape having your point fixed.
It's easier to understand if you actually write some code. A good place to start might be Reynold's paper on Definitional Interpreters. It looks like maths, but it's really just programming. I suspect that he ran all the code, and then just pretty-printed it in mathematical notation. So scheme hackers would have no trouble at all implementing the records that specify machine operations, and running them. And Guile has all the infrastructure to do a really nice job of it.