[Sorry about the long lines in my earlier post,
thanks for wrapping them, Raul.]
Raul Miller wrote:
On Sun, Jun 13, 2004 at 04:17:29PM +0100, Marco Franzen wrote:
To understand what I mean, you may want to read Ken Thompson's old
article[0] on how to hide a Trojan Horse in a compiler without it being
present in its "source" at all - just provided you bootstrap it with a
given binary that already contains the Trojan Horse.
Unless/until it can be proved that the binary's behaviour is acurately
described by its (alleged) source, it is unclear whether its (true)
source is provided or missing. Erring on the side of caution, it would
need to be ruled non-free.
The source (with the bootstrap binary removed) could therefore be at
most contrib.
How is this different from glibc?
Technically, you don't need a glibc binary to produce a glibc binary.
You can produce it on existing platforms (free and non-free ones) that
do not use glibc (and in whose ancestorship glibc was never used).
Ok, I'm told it's possible to build glibc under bsd's libc, but
are we doing that?
It does not need to be done on each build. The freeness issue goes away
(together with the related potential security problem), once it is
established that the alleged source is truely the source, in the sense
that it accurately describes the behaviour of the binary.
(The proof could even be allowed to use non-free tools where we can
trust them, and if it's only for a proof.)
If oaklisp's binary can be built under some other
lisp implementation, is that sufficient?
If an unrelated (and "trustworthy") lisp implementation produced the
same binary, then that would certainly be proof enough (possibly even
if the other lisp implementation was not free).
Alternatively, if the binary was produced by another lisp implementation
that has already been (correctly) proved to be free, that would also be
fine.
If producing the binary requires lots of arcane features that are not
present in any other lisp implementation, then, until an acceptable
bootstrap path is shown, that is a problem - for both freeness and
security.
What does "bootstrap from scratch" mean?
I mean an "acceptable" bootstrap path. As Florian said earlier, it needs
to be decided on a case-by-case basis - with [0] in mind.
> Is it more important for oaklisp than glibc?
It is important for both. I could turn it around:
If glibc binaries really had virus that were not it its source,
and if that could have been avoided by more painful bootstrapping,
would that mean clean oaklisp bootstrapping should not be required?
(Of course oaklisp would be the least of our problems then.)
[You snipped this, probably because it was in .sig position:]
>>[0] http://www.acm.org/classics/sep95/
Marco
