Re: Packages removed from frozen

To: Manoj Srivastava <srivasta@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Packages removed from frozen
From: Tyson Dowd <trd@cs.mu.OZ.AU>
Date: Thu, 10 Feb 2000 13:02:34 +1100
Message-id: <20000210130234.B3103@cs.mu.oz.au>
Mail-followup-to: Manoj Srivastava <srivasta@debian.org>, debian-devel@lists.debian.org
In-reply-to: <87d7q6uehg.fsf@glaurung.green-gryphon.com>; from Manoj Srivastava on Wed, Feb 09, 2000 at 05:45:47PM -0600
References: <20000128161610.A13321@xs4all.nl> <8766w1557j.fsf@raven.localnet> <87900wsu4l.fsf@glaurung.green-gryphon.com> <20000207142942.A14269@x8b4e53cd.dhcp.okstate.edu> <87emaoqq9n.fsf@glaurung.green-gryphon.com> <20000208155206.C494@ulysses.alg.ruhr-uni-bochum.de> <87g0v2zjjr.fsf@glaurung.green-gryphon.com> <20000209233057.I22607@gaia.pp.sci.fi> <87d7q6uehg.fsf@glaurung.green-gryphon.com>

On 09-Feb-2000, Manoj Srivastava <srivasta@debian.org> wrote:
>         Of course, some version X of gcc may introduce a trojan
>  visible in the source code, and remove it in version X+1; but leave
>  the infected binary around to perpetiuate teh trojan. I would expect
>  the gtcc maintainer to be familair with the diffs and catch the most
>  obvious of these attemptsl but I susptec that gcc sourrces ought to
>  be built on other platforms periodically (perhaps even cross
>  compiled) to ensure ourselves that the code is still clean.

Building the gcc source on another platform proves absolutely nothing
except that the sources are compilable.

Cross compiling using a different compiler is a reasonable start.

You actually need to cross compile with a different (preferrably "known
good" compiler that you wrote yourself, but an independent one is
reasonable) C compiler.  
Then you should bootstrap the suspected sources with the cross compiled binary.

Then you should bootstrap the same suspected sources with a suspected
infected binary.

The files should check out to be exactly the same.
However, all the tools you use along the way must also be compiled
with the cross-compiled compiler, otherwise (for example) diff might
be infected to report that the files are the same when they are not.
Or ls might give the wrong file size, etc.

This is of course assuming the mother-of-all binary viruses.
I personally don't believe this this exists or has ever existed.
The mechanism of transferral is simply too fragile.

-- 
The quantum sort: 
	while (!sorted) { do_nothing(); }
Tyson Dowd   <tyson@tyse.net>   http://tyse.net/

Reply to:

Follow-Ups:
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>

References:
- Re: Packages removed from frozen
  - From: Rob Browning <rlb@cs.utexas.edu>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Packages removed from frozen
  - From: David Starner <dvdeug@x8b4e53cd.dhcp.okstate.edu>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Packages removed from frozen
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Packages removed from frozen
  - From: Antti-Juhani Kaijanaho <gaia@iki.fi>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Re: Packages removed from frozen
Next by Date: Re: Packages removed from frozen
Previous by thread: Re: Packages removed from frozen
Next by thread: Re: Packages removed from frozen
Index(es):
- Date
- Thread