Hacker News new | ask | show | jobs
by gengear 1362 days ago
even if you compile yourself you can't be sure. [Reflections on Trusting Trust ](https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...)
2 comments
5d8767c68926 1362 days ago
Has that attack ever been observed in the wild?

While I don't know if the current incarnations of Nix/Guix will succeed, I think we are slowly making progress towards reproducible builds everywhere.

link
whydoyoucare 1361 days ago
No one knows for sure, though compromised compilers are not far fetched - there has been an implicit trust on compiler toolchains. Reproducible builds are a few years out from full general adoption.
link
LtWorf 1361 days ago
Assembly code can be read to see if it matches.
link
marcodiego 1361 days ago
> Has that attack ever been observed in the wild?

Yes: https://www.quora.com/What-is-a-coders-worst-nightmare/answe...

Also, I remember in the 90's, people talking about a virus that infect pascal source code files. Memory is spotty about it.

> While I don't know if the current incarnations of Nix/Guix will succeed, I think we are slowly making progress towards reproducible builds everywhere.

Fortunately, the answer is also positive here.

link
anthk 1361 days ago
Not with Guix and Mes.
link
marcodiego 1361 days ago
Reproducible builds make an attack like this as likely as "the whole world is a big conspiracy".
link