[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]

On 3/4/21 12:43 AM, tomas@tuxteam.de wrote:


Read David A. Wheeler's work [1] and put yourself in the 2010s :-)


> [1] https://dwheeler.com/trusting-trust/

The abstract states:

    "In the DDC technique, source code is compiled twice: once with a
    second (trusted) compiler (using the source code of the compiler’s
    parent), and then the compiler source code is compiled using the
    result of the first compilation. If the result is bit-for-bit
    identical with the untrusted executable, then the source code
    accurately represents the executable."


I find the above to be unclear:

1.  What source code is compiled twice?

2.  Where do I get the second (trusted) compiler?

3.  How do I compile using the source code of the compiler's parent?
5. Is the compiler source code the same as, or different from, the source code of the compiler's parent? 

6.  What result and what untrusted executable are compared bit-for-bit?
7. What if the compiler, by design, does not produce identical output for identical input? 

8.  Where do I get a trusted computer to do all of the above?



Back to the topic: I do trust my ISP significantly less than I do
OpenWRT. Therefore there is something between their provided router
and my home network.


Layering is a traditional defensive strategy.


David
Reply to: