[fatcow]

> Can somebody let me know why one cannot just take the assembly version of an existing compiler and carefully review its code to be happy with it and then build everything from that verified compiler? Why does it need so many steps?

Because your current OS to load the assembly code may have been poisoned to present you with a sanitized version on the compiler.

[selfhoster11]

It's worth noting that the above comment, while it might sound paranoid to some, is IMO entirely justified.

I'm 50/50 on whether someone at some point hasn't executed a successful Trusting Trust attack (see Ken Thompson). With modern machines that have megabytes of binary blobs, different co-processors that have access to the RAM while they can't be reprogrammed to be on the user's side, and techniques that can actually tell when sensitive operations are happening, such attacks are becoming more feasible.

[pabs3]

There definitely have been compromised build toolchains before:

https://en.wikipedia.org/wiki/XcodeGhost

[tremon]

That's only half of the trusting trust-attack though; the other half is being able to make the compiler compromise propagate itself, i.e. not just inserting any backdoor in compiled code, but inserting itself in any compiler built using the compromised tool.

[selfhoster11]

Mobile and Electron apps often weight hundreds of megs. That's enough data to hide an entire classic-style OS in the spaces between the data. While I don't know whether someone did insert such a recursive compiler, they certainly can do it unobtrusively enough that it doesn't raise any suspicion.

[selfhoster11]

Thank you, I wasn't familiar with this case.