Re: Packages removed from frozen
>>"Tyson" == Tyson Dowd <trd@cs.mu.OZ.AU> writes:
Tyson> On 09-Feb-2000, Manoj Srivastava <srivasta@debian.org> wrote:
>> Of course, some version X of gcc may introduce a trojan
>> visible in the source code, and remove it in version X+1; but leave
>> the infected binary around to perpetiuate teh trojan. I would expect
>> the gtcc maintainer to be familair with the diffs and catch the most
>> obvious of these attemptsl but I susptec that gcc sourrces ought to
>> be built on other platforms periodically (perhaps even cross
>> compiled) to ensure ourselves that the code is still clean.
Tyson> Building the gcc source on another platform proves absolutely nothing
Tyson> except that the sources are compilable.
Really? Ok, I';ll spell it out.. I compile the first phase
with a non gcc CC. The resulting gcc binary can't have a binary only
trojan -- anything this resulting gcc has has to come from the code
complied by the native (say, HPUX) cc.
Then phase 2 is compiled by this gcc1. The resulting gcc2 is
used to commpile gcc3. gcc2 and gcc3 are compared, byte for byte.
Now please demonstrate how a binary only trojan, which does
not exist in code, slips through that process.
Then you use this gcc to cross compile gcc for Linux.
Tyson> Cross compiling using a different compiler is a reasonable start.
As above.
Tyson> You actually need to cross compile with a different
Tyson> (preferrably "known good" compiler that you wrote yourself,
Tyson> but an independent one is reasonable) C compiler. Then you
Tyson> should bootstrap the suspected sources with the cross compiled
Tyson> binary.
Ah. We are, then, on the same track
Tyson> Then you should bootstrap the same suspected sources with a suspected
Tyson> infected binary.
Tyson> The files should check out to be exactly the same.
Tyson> However, all the tools you use along the way must also be compiled
Tyson> with the cross-compiled compiler, otherwise (for example) diff might
Tyson> be infected to report that the files are the same when they are not.
Tyson> Or ls might give the wrong file size, etc.
Tyson> This is of course assuming the mother-of-all binary viruses.
Tyson> I personally don't believe this this exists or has ever existed.
Tyson> The mechanism of transferral is simply too fragile.
Then you do not know your C history.
manoj
--
RANDOMIZATION: The assignment of subjects to conditions in an
experiment according to some preconceived plan. Randomness like
chastity is more often claimed than maintained.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: