[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Unofficial buildd network has been shut down

Andrew Suffield <asuffield@debian.org> writes:

> I would notice because there would be too much code in the binary;
> it's reasonably easy to verify with some simple automation. It would
> require hundreds of instructions to do something like this, which
> would have no corresponding source code. Yes, on occasion I have dug
> into gcc binaries while debugging modifications to gcc.

Ok, without looking, how many instructions should GCC have?  "Hundreds
of instructions" is what percentage of the total?  If a new version
uploads, how would you know?

What is the ration of source-code-lines to source lines?

And, note that Ken Thompson's point is that even your test won't
help.  I can easily add cheat-code to the debugger that refuses to
display the relevant routines and misrepresents the appearance of the

> It would not be difficult to vary the technique and ensure there are
> no such things hiding in the file. I don't believe in conspiracies so
> large that they could stop some random perl script from spotting the
> hidden code; the sheer *quantity* of hidden trojans you'd need would
> make them rather easy to spot.

Actually, that's the splendid thing.  I have to put them only in the
compiler (if I'm clever enough), and once the system is recompiled,
they will be in all the right tools, and the whole cheat becomes

It's really very clever!

Reply to: