Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
On Thu, 4 Mar 2021 09:43:57 +0100
<tomas@tuxteam.de> wrote:
> On Wed, Mar 03, 2021 at 05:42:36PM -0800, David Christensen wrote:
>
> [...]
>
> > So, you designed, built, and programmed your "single other machine"
> > using machines that you designed, built [...]
>
> This is disingenuous.
>
> The whole game is about trust. I trust gcc more than I trust MSVC.
Undoubtedly. But there is also no doubt that gcc and every other
serious compiler in the West has been compromised. Why would they *not*
be?
> The one aspect missing is, though, the "social" aspect: the software
> endeavour has become so devilishly complex that the idea of One
> Person (TM) checking everything down to some hypothetical "Trust
> Roots" is... theoretical, to state it politely. You gotta delegate
> some trust (well, most of it, actually).
Indeed. The new heartbeat/data return function in OpenSSL, itself the
core of much Open Source security, was suggested by the programmer
himself, and the resulting code was audited by *one* other person before
approval and distribution. What could possibly go wrong?
>
> And oh, do you a favour and dare a step forward from the 1984s.
> Read David A. Wheeler's work [1] and put yourself in the 2010s :-)
>
> Back to the topic: I do trust my ISP significantly less than I do
> OpenWRT. Therefore there is something between their provided router
> and my home network.
Of course. Any externally-supplied network device is inherently
untrusted. It is unwise to give any IoT device access to your network,
it is fail-safe to assume that every such device reports back as much
as possible to some Chinese company. But most people do unwise things
frequently, as most of us are unwise in many areas. We just happen to
know a bit about networking.
--
Joe
Reply to: