On Fri, Nov 25, 2022 at 11:15:26AM +0000, Joe wrote: > On Thu, 24 Nov 2022 16:05:31 -0500 > Jeremy Hendricks <jwh1...@gmail.com> wrote: > > > I have no idea what you mean. It’s open source and you can analyze > > the code line by line. > > > You can analyse the *source* code. The machine code it allegedly > produces cannot be analysed any more easily than can closed-source > software. Assembler maps one-to-one to machine code, statements in a > compiled language do not come close to that. > > Ken Thompson showed how it's done nearly forty years ago: > > https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
Sigh. The world has moved on since then. If you quote this (really good, seminal) article, you should at least know about David A. Wheeler[0]'s "Countering Trusting Trust through Diverse Double-Compiling (DDC] [1]. You might also be interested in the Reproducible Builds [2] initiative (which is more and more important in Debian). You'll never be able to actually /prove/ that the world out there actually exists. But you can get that >< close. Cheers [0] https://dwheeler.com/dwheeler.html [1] https://dwheeler.com/trusting-trust [2] https://reproducible-builds.org/ -- t
signature.asc
Description: PGP signature
