On Thu, 4 Mar 2021 09:41:13 +0000 Joe <j...@jretrading.com> wrote: ...
> Undoubtedly. But there is also no doubt that gcc and every other > serious compiler in the West has been compromised. Why would they *not* > be? Do you have any evidence for this, or is it just your assumption, because "why would they not be?" > > The one aspect missing is, though, the "social" aspect: the software > > endeavour has become so devilishly complex that the idea of One > > Person (TM) checking everything down to some hypothetical "Trust > > Roots" is... theoretical, to state it politely. You gotta delegate > > some trust (well, most of it, actually). > > Indeed. The new heartbeat/data return function in OpenSSL, itself the > core of much Open Source security, was suggested by the programmer > himself, and the resulting code was audited by *one* other person before > approval and distribution. What could possibly go wrong? The problem I have with your claim is that AFAIK none of the ostensible compromises you assume exist have ever been discovered. I know there's speculation that this was a backdoor: https://www.debian.org/security/2008/dsa-1571 https://freedom-to-tinker.com/2013/09/20/software-transparency-debian-openssl-bug/ but that's never been established, and my understanding is that it's considered unlikely. I guess there's Dual_EC_DRBG, but even that, IIUC, is only speculation. Human beings being what they are, is it really plausible that no one involved has ever let the cat out of the bag? Are the TLAs really that good at what they do? I mean, we have Snowden ... Celejar
