On Sat, Dec 8, 2018 at 11:20 AM Hendrik Boom hendrik@topoi.pooq.com wrote:
On Sat, Dec 08, 2018 at 10:28:18AM -0500, Chris Tyler wrote:
On Sat, Dec 8, 2018 at 7:07 AM Pablo Rath pablo@parobalth.org wrote:
On Fri, Dec 07, 2018 at 04:52:22PM -0500, Hendrik Boom wrote:
On Fri, Dec 07, 2018 at 12:59:44PM +0100, Pablo Rath wrote:
How do you know if the source is closed? :)
Let's assume this is a real question.
Hendrik, I am sorry. I see, I have phrased my (rhetoric) question poorly. What I meant and should have written is mor like: "How can you know if a software behaves well and doesn't shoot the cat when you can't audit
the
source code?"
I must point out an error here: Ken Thompson proved that auditing source code (of software and the toolchain used to build it) is meaningless in
his
paper "Reflections on Trusting Trust". That paper/talk was released 34 years ago, and it wasn't theoretical -- it was based on malware that he'd successfully released into the wild many years before.
I remember reading that talk -- Wasn't it a Turing lecture? -- and I don't recall him saying he actually did release that malware -- he just explained what he *could* have done. But he didn't deny it either.
From text of the talk: "The actual bug that I planted in the compiler..."
and discussion at the time indicated that this... feature... had been present for years. I think it was safe for him to mention in '84 because many (though not all) were migrating off the original toolchain by that point.
-Chris