[cperciva]

So if you want to avoid trusting trust, you need to audit not only a C compiler and the source code for the Go compiler you plan on using, but also every past Go compiler as well?

[sesutton]

You could audit the Go source and then use the diverse double compiling technique[0] to verify that the binary you're using corresponds to that source code.

[0] http://www.dwheeler.com/trusting-trust/dissertation/html/whe...

[cperciva]

You mean, audit a large number of independently-written Go compilers?

[indians_pro]

Nicely done. To be fair though, Go is just 6 years old and still evolving.

[cperciva]

Exactly. Which is why I think it's important to keep the option of compiling its compiler from a language which has a large diversity of compilers.

[crawshaw]

I don't believe it has been tried yet, but it seems entirely possible to use gccgo as the bootstrap compiler.

[f2f]

You can't avoid trusting trust. "Ken was here" :)

[sanxiyn]

You actually can. Proof here: http://www.dwheeler.com/trusting-trust/

[f2f]

I was alluding to Ken being the author of the old, as well as one of the authors of the new compiler. In jest :)

[cperciva]

You can. You just have to bootstrap all the way up.

[fugyk]

What if any intermediate version is found to contain the violation of trusting trust? Every go maintainer has to build every version sequentially from that version to current version.