On Thu, 4 Mar 2021 09:43:57 +0100 <to...@tuxteam.de> wrote: > On Wed, Mar 03, 2021 at 05:42:36PM -0800, David Christensen wrote: > > [...] > > > So, you designed, built, and programmed your "single other machine" > > using machines that you designed, built [...] > > This is disingenuous. > > The whole game is about trust. I trust gcc more than I trust MSVC.
Undoubtedly. But there is also no doubt that gcc and every other serious compiler in the West has been compromised. Why would they *not* be? > The one aspect missing is, though, the "social" aspect: the software > endeavour has become so devilishly complex that the idea of One > Person (TM) checking everything down to some hypothetical "Trust > Roots" is... theoretical, to state it politely. You gotta delegate > some trust (well, most of it, actually). Indeed. The new heartbeat/data return function in OpenSSL, itself the core of much Open Source security, was suggested by the programmer himself, and the resulting code was audited by *one* other person before approval and distribution. What could possibly go wrong? > > And oh, do you a favour and dare a step forward from the 1984s. > Read David A. Wheeler's work [1] and put yourself in the 2010s :-) > > Back to the topic: I do trust my ISP significantly less than I do > OpenWRT. Therefore there is something between their provided router > and my home network. Of course. Any externally-supplied network device is inherently untrusted. It is unwise to give any IoT device access to your network, it is fail-safe to assume that every such device reports back as much as possible to some Chinese company. But most people do unwise things frequently, as most of us are unwise in many areas. We just happen to know a bit about networking. -- Joe
