From: Mark Knecht <markknecht@gmail.com>
To: Gentoo AMD64 <gentoo-amd64@lists.gentoo.org>
Subject: Re: [gentoo-amd64] Re: "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)
Date: Thu, 7 Aug 2014 12:38:07 -0700 [thread overview]
Message-ID: <CAK2H+edexOrMdzs2gX4KgUUwTpiaG6yZVd+Z1_iDybZAb6BGyg@mail.gmail.com> (raw)
In-Reply-To: <pan$1802$ad31072b$2b88fdcb$9b9112da@cox.net>
On Thu, Aug 7, 2014 at 10:20 AM, Duncan <1i5t5.duncan@cox.net> wrote:
> Lie Ryan posted on Fri, 08 Aug 2014 02:06:14 +1000 as excerpted:
>
>> With you having to compile thousands of stuffs if you build from stage
>> 1, I doubt that you will be able to verify every single thing you
>> compile and detect if something is actually doing sneaky stuff AND still
>> have the time to enjoy your system. Also, even if you build from stage 1
>> and manage to verify all the source code, you still need to download a
>> precompiled compiler which could possibly inject the malicious code into
>> the programs it compiles, and which can also inject itself if you try to
>> compile another compiler from source. If there is a single software that
>> is worth a gold mine to inject with malware to gain illicit access to
>> all Linux system, then it would be gcc. Once you infect a compiler,
>> you're invincible.
>
> Actually, that brings up a good question. The art of compiling is
> certainly somewhat magic to me tho I guess I somewhat understand the
> concept in a vague, handwavy way, but...
<SNIP>
>
> So anyway, to the gcc experts that know, and to non-gcc CS folks who have
> actually built their own simple compilers and can at least address the
> concept, is a previous gcc or other full compiler actually required to
> build a new gcc, or does it sufficiently bootstrap itself from the more
> basic tools such that unlike most code, it doesn't actually need a full
> compiler to build and reasonably optimize at all? That's a question I've
> had brewing in the back of my mind for some time, and this seemed the
> perfect opportunity to ask it. =:^)
>
And beyond Duncan's question (good question!) if I try to rebuild gcc
like it was an empty box using my current machine I see this sort of thing
where gcc is about the 350th of 385 packages getting built. It seems to
me that _any_ package that has programs running at the same or higher
level as emerge could be hacked and control what's actually placed on the
machine.
It's an endless problem if you cannot trust anything, and for most people,
and certainly for me, unverifiable the ways the tools work today.
c2RAID6 ~ # emerge -pve gcc
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] app-arch/xz-utils-5.0.5-r1 USE="nls threads
-static-libs" ABI_X86="(64) (-32) (-x32)" 1,276 kB
[ebuild R ] virtual/libintl-0-r1 ABI_X86="(64) -32 (-x32)" 0 kB
[ebuild R ] app-arch/bzip2-1.0.6-r6 USE="-static -static-libs"
ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild R ] dev-libs/expat-2.1.0-r3 USE="unicode -examples
-static-libs" ABI_X86="(64) (-32) (-x32)" 550 kB
[ebuild R ] virtual/libiconv-0-r1 ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild R ] dev-lang/python-exec-2.0.1-r1:2
PYTHON_TARGETS="(jython2_5) (jython2_7) (pypy) (python2_7) (python3_2)
(python3_3) (-python3_4)" 0 kB
[ebuild R ] sys-devel/gnuconfig-20140212 0 kB
[ebuild R ] media-libs/libogg-1.3.1 USE="-static-libs"
ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild R ] app-misc/mime-types-9 16 kB
[ebuild R ] sys-apps/baselayout-2.2 USE="-build" 40 kB
[ebuild R ] sys-devel/gcc-config-1.7.3 15 kB
<SNIP, SNIP, SNIP>
[ebuild R ] media-libs/phonon-4.6.0-r1 USE="gstreamer (-aqua)
-debug -pulseaudio -vlc (-zeitgeist)" 275 kB
[ebuild R ] sys-libs/glibc-2.19-r1:2.2 USE="(multilib) -debug
-gd (-hardened) -nscd -profile (-selinux) -suid -systemtap -vanilla" 0
kB
[ebuild R ] sys-devel/gcc-4.7.3-r1:4.7 USE="cxx fortran
(multilib) nls nptl openmp (-altivec) -awt -doc (-fixed-point) -gcj
-go -graphite (-hardened) (-libssp) -mudflap (-multislot) -nopie
-nossp -objc -objc++ -objc-gc -regression-test -vanilla" 81,022 kB
[ebuild R ] sys-libs/pam-1.1.8-r2 USE="berkdb cracklib nls
-audit -debug -nis (-selinux) {-test} -vim-syntax" ABI_X86="(64) (-32)
(-x32)" 0 kB
[ebuild R ] dev-db/mysql-5.1.70 USE="community perl ssl
-big-tables -cluster -debug -embedded -extraengine -latin1
-max-idx-128 -minimal -pbxt -profiling (-selinux) -static {-test}
-xtradb" 24,865 kB
[ebuild R ] sys-devel/llvm-3.3-r3:0/3.3 USE="libffi
static-analyzer xml -clang -debug -doc -gold -multitarget -ocaml
-python {-test} -udis86" ABI_X86="(64) (-32) (-x32)"
PYTHON_TARGETS="python2_7 (-pypy) (-pypy2_0%) (-python2_6%)"
VIDEO_CARDS="-radeon" 0 kB
[ebuild R ] media-libs/mesa-10.0.4 USE="classic egl gallium llvm
nptl vdpau xvmc -bindist -debug -gbm -gles1 -gles2 -llvm-shared-libs
-opencl -openvg -osmesa -pax_kernel -pic -r600-llvm-compiler
(-selinux) -wayland -xa" ABI_X86="(64) (-32) (-x32)"
VIDEO_CARDS="(-freedreno) -i915 -i965 -ilo -intel -nouveau -r100 -r200
-r300 -r600 -radeon -radeonsi -vmware" 0 kB
[ebuild R ] x11-libs/cairo-1.12.16 USE="X glib opengl svg xcb
(-aqua) -debug -directfb -doc (-drm) (-gallium) (-gles2)
-legacy-drivers -openvg (-qt4) -static-libs -valgrind -xlib-xcb" 0 kB
[ebuild R ] app-text/poppler-0.24.5:0/44 USE="cairo cxx
introspection jpeg jpeg2k lcms png qt4 tiff utils -cjk -curl -debug
-doc" 0 kB
[ebuild R ] media-libs/harfbuzz-0.9.28:0/0.9.18 USE="cairo glib
graphite introspection truetype -icu -static-libs {-test}"
ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild R ] x11-libs/pango-1.36.5 USE="X introspection -debug"
ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild R ] x11-libs/gtk+-2.24.24:2 USE="introspection xinerama
(-aqua) -cups -debug -examples {-test} -vim-syntax" ABI_X86="(64)
(-32) (-x32)" 0 kB
[ebuild R ] x11-libs/gtk+-3.12.2:3 USE="X introspection xinerama
(-aqua) -cloudprint -colord -cups -debug -examples {-test} -vim-syntax
-wayland" 0 kB
[ebuild R ] dev-db/libiodbc-3.52.7 USE="gtk" 1,015 kB
[ebuild R ] app-crypt/pinentry-0.8.2 USE="gtk ncurses qt4 -caps
-static" 419 kB
[ebuild R ] dev-java/icedtea-bin-6.1.13.3-r3:6 USE="X alsa -cjk
-cups -doc -examples -nsplugin (-selinux) -source -webstart" 0 kB
[ebuild R ] dev-libs/soprano-2.9.4 USE="dbus raptor redland
virtuoso -debug -doc {-test}" 1,913 kB
[ebuild R ] app-crypt/gnupg-2.0.25 USE="bzip2 ldap nls readline
usb -adns -doc -mta (-selinux) -smartcard -static" 0 kB
[ebuild R ] gnome-extra/polkit-gnome-0.105 304 kB
[ebuild R ] kde-base/kdelibs-4.12.5-r2:4/4.12 USE="acl alsa
bzip2 fam handbook jpeg2k mmx nls opengl (policykit) semantic-desktop
spell sse sse2 ssl udev udisks upower -3dnow (-altivec) (-aqua) -debug
-doc -kerberos -lzma -openexr {-test} -zeroconf" 0 kB
[ebuild R ] sys-auth/polkit-kde-agent-0.99.0-r1:4 USE="(-aqua)
-debug" LINGUAS="-ca -ca@valencia -cs -da -de -en_GB -eo -es -et -fi
-fr -ga -gl -hr -hu -is -it -ja -km -lt -mai -ms -nb -nds -nl -pa -pt
-pt_BR -ro -ru -sk -sr -sr@ijekavian -sr@ijekavianlatin -sr@latin -sv
-th -tr -uk -zh_TW" 34 kB
[ebuild R ] kde-base/nepomuk-core-4.12.5:4/4.12 USE="exif pdf
(-aqua) -debug -epub -ffmpeg -taglib" 0 kB
[ebuild R ] kde-base/katepart-4.12.5:4/4.12 USE="handbook
(-aqua) -debug" 0 kB
[ebuild R ] kde-base/kdesu-4.12.5:4/4.12 USE="handbook (-aqua)
-debug" 0 kB
[ebuild R ] net-libs/libproxy-0.4.11-r2 USE="kde -gnome -mono
-networkmanager -perl -python -spidermonkey {-test} -webkit"
ABI_X86="(64) (-32) (-x32)" PYTHON_TARGETS="python2_7" 0 kB
[ebuild R ] kde-base/nepomuk-widgets-4.12.5:4/4.12 USE="(-aqua)
-debug" 0 kB
[ebuild R ] kde-base/khelpcenter-4.12.5:4/4.12 USE="(-aqua) -debug" 0 kB
[ebuild R ] net-libs/glib-networking-2.40.1-r1 USE="gnome
libproxy ssl -smartcard {-test}" ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild R ] net-libs/libsoup-2.46.0-r1:2.4 USE="introspection
ssl -debug -samba {-test}" ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild R ] media-plugins/gst-plugins-soup-0.10.31-r1:0.10
ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild R ] media-libs/phonon-gstreamer-4.6.3 USE="alsa network
-debug" 71 kB
Total: 385 packages (385 reinstalls), Size of downloads: 355,030 kB
c2RAID6 ~ #
next prev parent reply other threads:[~2014-08-07 19:38 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <46751df7496f4e4f97fb23e10fc9f5b4@mail10.futurewins.com>
2014-08-05 11:36 ` [gentoo-amd64] "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?) Rich Freeman
2014-08-05 17:50 ` Mark Knecht
2014-08-05 20:36 ` Frank Peters
2014-08-05 23:20 ` [gentoo-amd64] " Duncan
2014-08-06 12:14 ` james.a.elian
2014-08-06 12:14 ` james.a.elian
2014-08-07 15:36 ` [gentoo-amd64] " Max Cizauskas
2014-08-07 16:06 ` Lie Ryan
2014-08-07 17:20 ` [gentoo-amd64] " Duncan
2014-08-07 19:38 ` Mark Knecht [this message]
2014-08-07 19:29 ` [gentoo-amd64] " Mark Knecht
2014-08-04 22:04 Mark Knecht
2014-08-05 5:52 ` [gentoo-amd64] " Duncan
2014-08-05 18:50 ` Mark Knecht
2014-08-06 21:33 ` Mark Knecht
2014-08-07 0:58 ` Duncan
2014-08-07 18:16 ` Mark Knecht
2014-08-07 19:53 ` Duncan
2014-08-07 21:18 ` Duncan
2014-08-08 18:34 ` Mark Knecht
2014-08-09 1:38 ` Duncan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAK2H+edexOrMdzs2gX4KgUUwTpiaG6yZVd+Z1_iDybZAb6BGyg@mail.gmail.com \
--to=markknecht@gmail.com \
--cc=gentoo-amd64@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox