[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages removed from frozen

>>"Tyson" == Tyson Dowd <trd@cs.mu.OZ.AU> writes:

 Tyson> On 09-Feb-2000, Manoj Srivastava <srivasta@debian.org> wrote:
 >> Of course, some version X of gcc may introduce a trojan
 >> visible in the source code, and remove it in version X+1; but leave
 >> the infected binary around to perpetiuate teh trojan. I would expect
 >> the gtcc maintainer to be familair with the diffs and catch the most
 >> obvious of these attemptsl but I susptec that gcc sourrces ought to
 >> be built on other platforms periodically (perhaps even cross
 >> compiled) to ensure ourselves that the code is still clean.

 Tyson> Building the gcc source on another platform proves absolutely nothing
 Tyson> except that the sources are compilable.

        Really? Ok, I';ll spell it out.. I compile the first phase
 with a non gcc CC. The resulting gcc binary can't have a binary only
 trojan -- anything this resulting gcc has has to come from the code
 complied by the native (say, HPUX) cc.

        Then phase 2 is compiled by this gcc1. The resulting gcc2 is
 used to commpile gcc3. gcc2 and gcc3 are compared, byte for byte.

        Now please demonstrate how a binary only trojan, which does
 not exist in code, slips through that process.

        Then you use this gcc to cross compile gcc for Linux.

 Tyson> Cross compiling using a different compiler is a reasonable start.

        As above.

 Tyson> You actually need to cross compile with a different
 Tyson> (preferrably "known good" compiler that you wrote yourself,
 Tyson> but an independent one is reasonable) C compiler.  Then you
 Tyson> should bootstrap the suspected sources with the cross compiled
 Tyson> binary.

        Ah. We are, then, on the same track

 Tyson> Then you should bootstrap the same suspected sources with a suspected
 Tyson> infected binary.

 Tyson> The files should check out to be exactly the same.
 Tyson> However, all the tools you use along the way must also be compiled
 Tyson> with the cross-compiled compiler, otherwise (for example) diff might
 Tyson> be infected to report that the files are the same when they are not.
 Tyson> Or ls might give the wrong file size, etc.

 Tyson> This is of course assuming the mother-of-all binary viruses.
 Tyson> I personally don't believe this this exists or has ever existed.
 Tyson> The mechanism of transferral is simply too fragile.

        Then you do not know your C history.


 RANDOMIZATION: The assignment of subjects to conditions in an
 experiment according to some preconceived plan. Randomness like
 chastity is more often claimed than maintained.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: