Re: Verifying Toolchain Semantics

[Mark H Weaver]

Ian Grant <address@hidden> writes:

> Dear programming language types,
>
> I wrote this to try once again to explain what is the nature of the
> problem that one would have in verifying the integrity of _any_
> software toolchain, whether it is aimed ultimately at the production
> of other software, or of hardware.
>
>     http://livelogic.blogspot.com/2014/10/the-foundation-part-i.html

I downloaded the PDF linked in that blog entry and attempted to view it
using Emacs's docview mode, which reported that the pdf->png process
died with a segfault.

It's ironic that someone who claims to be so concerned with security
steadfastly refuses to provide his most important essays in a simple,
transparent format.  Instead, he insists to distribute them in an opaque
format that can only be interpreted by a small handful of very complex
programs with a large attack surface.

For that matter, it's also interesting that someone concerned about
Thompson viruses would suggest that Guile should distribute it's
compiler in the form of pre-compiled intermediate C code (compiled from
Scheme) instead of bootstrapping from source code, in order to speed up
the compilation process.

I've wasted more time than I should have reading Ian's writings, looking
for an answer to this apparent contradiction in his views, and I haven't
found it.

While we're on the subject of paranoid theories, here's one for you:
maybe Ian Grant's true motive is to induce some of the most important
developers of free toolchains and the Linux kernel to load PDFs that
infect their computers with malware, in order to subvert our core
infrastructure.

Ian: tell me again, why do you refuse to distribute your essays in plain
text?  I read GNU Thunder and I don't remember seeing anything in there
that justifies the use of such a complex format.  As I recall, it's just
plain text anyway.

     Mark