1 |
On Thu, Aug 7, 2014 at 10:20 AM, Duncan <1i5t5.duncan@×××.net> wrote: |
2 |
> Lie Ryan posted on Fri, 08 Aug 2014 02:06:14 +1000 as excerpted: |
3 |
> |
4 |
>> With you having to compile thousands of stuffs if you build from stage |
5 |
>> 1, I doubt that you will be able to verify every single thing you |
6 |
>> compile and detect if something is actually doing sneaky stuff AND still |
7 |
>> have the time to enjoy your system. Also, even if you build from stage 1 |
8 |
>> and manage to verify all the source code, you still need to download a |
9 |
>> precompiled compiler which could possibly inject the malicious code into |
10 |
>> the programs it compiles, and which can also inject itself if you try to |
11 |
>> compile another compiler from source. If there is a single software that |
12 |
>> is worth a gold mine to inject with malware to gain illicit access to |
13 |
>> all Linux system, then it would be gcc. Once you infect a compiler, |
14 |
>> you're invincible. |
15 |
> |
16 |
> Actually, that brings up a good question. The art of compiling is |
17 |
> certainly somewhat magic to me tho I guess I somewhat understand the |
18 |
> concept in a vague, handwavy way, but... |
19 |
|
20 |
<SNIP> |
21 |
> |
22 |
> So anyway, to the gcc experts that know, and to non-gcc CS folks who have |
23 |
> actually built their own simple compilers and can at least address the |
24 |
> concept, is a previous gcc or other full compiler actually required to |
25 |
> build a new gcc, or does it sufficiently bootstrap itself from the more |
26 |
> basic tools such that unlike most code, it doesn't actually need a full |
27 |
> compiler to build and reasonably optimize at all? That's a question I've |
28 |
> had brewing in the back of my mind for some time, and this seemed the |
29 |
> perfect opportunity to ask it. =:^) |
30 |
> |
31 |
|
32 |
And beyond Duncan's question (good question!) if I try to rebuild gcc |
33 |
like it was an empty box using my current machine I see this sort of thing |
34 |
where gcc is about the 350th of 385 packages getting built. It seems to |
35 |
me that _any_ package that has programs running at the same or higher |
36 |
level as emerge could be hacked and control what's actually placed on the |
37 |
machine. |
38 |
|
39 |
It's an endless problem if you cannot trust anything, and for most people, |
40 |
and certainly for me, unverifiable the ways the tools work today. |
41 |
|
42 |
c2RAID6 ~ # emerge -pve gcc |
43 |
|
44 |
These are the packages that would be merged, in order: |
45 |
|
46 |
Calculating dependencies... done! |
47 |
[ebuild R ] app-arch/xz-utils-5.0.5-r1 USE="nls threads |
48 |
-static-libs" ABI_X86="(64) (-32) (-x32)" 1,276 kB |
49 |
[ebuild R ] virtual/libintl-0-r1 ABI_X86="(64) -32 (-x32)" 0 kB |
50 |
[ebuild R ] app-arch/bzip2-1.0.6-r6 USE="-static -static-libs" |
51 |
ABI_X86="(64) (-32) (-x32)" 0 kB |
52 |
[ebuild R ] dev-libs/expat-2.1.0-r3 USE="unicode -examples |
53 |
-static-libs" ABI_X86="(64) (-32) (-x32)" 550 kB |
54 |
[ebuild R ] virtual/libiconv-0-r1 ABI_X86="(64) (-32) (-x32)" 0 kB |
55 |
[ebuild R ] dev-lang/python-exec-2.0.1-r1:2 |
56 |
PYTHON_TARGETS="(jython2_5) (jython2_7) (pypy) (python2_7) (python3_2) |
57 |
(python3_3) (-python3_4)" 0 kB |
58 |
[ebuild R ] sys-devel/gnuconfig-20140212 0 kB |
59 |
[ebuild R ] media-libs/libogg-1.3.1 USE="-static-libs" |
60 |
ABI_X86="(64) (-32) (-x32)" 0 kB |
61 |
[ebuild R ] app-misc/mime-types-9 16 kB |
62 |
[ebuild R ] sys-apps/baselayout-2.2 USE="-build" 40 kB |
63 |
[ebuild R ] sys-devel/gcc-config-1.7.3 15 kB |
64 |
|
65 |
<SNIP, SNIP, SNIP> |
66 |
|
67 |
[ebuild R ] media-libs/phonon-4.6.0-r1 USE="gstreamer (-aqua) |
68 |
-debug -pulseaudio -vlc (-zeitgeist)" 275 kB |
69 |
[ebuild R ] sys-libs/glibc-2.19-r1:2.2 USE="(multilib) -debug |
70 |
-gd (-hardened) -nscd -profile (-selinux) -suid -systemtap -vanilla" 0 |
71 |
kB |
72 |
[ebuild R ] sys-devel/gcc-4.7.3-r1:4.7 USE="cxx fortran |
73 |
(multilib) nls nptl openmp (-altivec) -awt -doc (-fixed-point) -gcj |
74 |
-go -graphite (-hardened) (-libssp) -mudflap (-multislot) -nopie |
75 |
-nossp -objc -objc++ -objc-gc -regression-test -vanilla" 81,022 kB |
76 |
[ebuild R ] sys-libs/pam-1.1.8-r2 USE="berkdb cracklib nls |
77 |
-audit -debug -nis (-selinux) {-test} -vim-syntax" ABI_X86="(64) (-32) |
78 |
(-x32)" 0 kB |
79 |
[ebuild R ] dev-db/mysql-5.1.70 USE="community perl ssl |
80 |
-big-tables -cluster -debug -embedded -extraengine -latin1 |
81 |
-max-idx-128 -minimal -pbxt -profiling (-selinux) -static {-test} |
82 |
-xtradb" 24,865 kB |
83 |
[ebuild R ] sys-devel/llvm-3.3-r3:0/3.3 USE="libffi |
84 |
static-analyzer xml -clang -debug -doc -gold -multitarget -ocaml |
85 |
-python {-test} -udis86" ABI_X86="(64) (-32) (-x32)" |
86 |
PYTHON_TARGETS="python2_7 (-pypy) (-pypy2_0%) (-python2_6%)" |
87 |
VIDEO_CARDS="-radeon" 0 kB |
88 |
[ebuild R ] media-libs/mesa-10.0.4 USE="classic egl gallium llvm |
89 |
nptl vdpau xvmc -bindist -debug -gbm -gles1 -gles2 -llvm-shared-libs |
90 |
-opencl -openvg -osmesa -pax_kernel -pic -r600-llvm-compiler |
91 |
(-selinux) -wayland -xa" ABI_X86="(64) (-32) (-x32)" |
92 |
VIDEO_CARDS="(-freedreno) -i915 -i965 -ilo -intel -nouveau -r100 -r200 |
93 |
-r300 -r600 -radeon -radeonsi -vmware" 0 kB |
94 |
[ebuild R ] x11-libs/cairo-1.12.16 USE="X glib opengl svg xcb |
95 |
(-aqua) -debug -directfb -doc (-drm) (-gallium) (-gles2) |
96 |
-legacy-drivers -openvg (-qt4) -static-libs -valgrind -xlib-xcb" 0 kB |
97 |
[ebuild R ] app-text/poppler-0.24.5:0/44 USE="cairo cxx |
98 |
introspection jpeg jpeg2k lcms png qt4 tiff utils -cjk -curl -debug |
99 |
-doc" 0 kB |
100 |
[ebuild R ] media-libs/harfbuzz-0.9.28:0/0.9.18 USE="cairo glib |
101 |
graphite introspection truetype -icu -static-libs {-test}" |
102 |
ABI_X86="(64) (-32) (-x32)" 0 kB |
103 |
[ebuild R ] x11-libs/pango-1.36.5 USE="X introspection -debug" |
104 |
ABI_X86="(64) (-32) (-x32)" 0 kB |
105 |
[ebuild R ] x11-libs/gtk+-2.24.24:2 USE="introspection xinerama |
106 |
(-aqua) -cups -debug -examples {-test} -vim-syntax" ABI_X86="(64) |
107 |
(-32) (-x32)" 0 kB |
108 |
[ebuild R ] x11-libs/gtk+-3.12.2:3 USE="X introspection xinerama |
109 |
(-aqua) -cloudprint -colord -cups -debug -examples {-test} -vim-syntax |
110 |
-wayland" 0 kB |
111 |
[ebuild R ] dev-db/libiodbc-3.52.7 USE="gtk" 1,015 kB |
112 |
[ebuild R ] app-crypt/pinentry-0.8.2 USE="gtk ncurses qt4 -caps |
113 |
-static" 419 kB |
114 |
[ebuild R ] dev-java/icedtea-bin-6.1.13.3-r3:6 USE="X alsa -cjk |
115 |
-cups -doc -examples -nsplugin (-selinux) -source -webstart" 0 kB |
116 |
[ebuild R ] dev-libs/soprano-2.9.4 USE="dbus raptor redland |
117 |
virtuoso -debug -doc {-test}" 1,913 kB |
118 |
[ebuild R ] app-crypt/gnupg-2.0.25 USE="bzip2 ldap nls readline |
119 |
usb -adns -doc -mta (-selinux) -smartcard -static" 0 kB |
120 |
[ebuild R ] gnome-extra/polkit-gnome-0.105 304 kB |
121 |
[ebuild R ] kde-base/kdelibs-4.12.5-r2:4/4.12 USE="acl alsa |
122 |
bzip2 fam handbook jpeg2k mmx nls opengl (policykit) semantic-desktop |
123 |
spell sse sse2 ssl udev udisks upower -3dnow (-altivec) (-aqua) -debug |
124 |
-doc -kerberos -lzma -openexr {-test} -zeroconf" 0 kB |
125 |
[ebuild R ] sys-auth/polkit-kde-agent-0.99.0-r1:4 USE="(-aqua) |
126 |
-debug" LINGUAS="-ca -ca@valencia -cs -da -de -en_GB -eo -es -et -fi |
127 |
-fr -ga -gl -hr -hu -is -it -ja -km -lt -mai -ms -nb -nds -nl -pa -pt |
128 |
-pt_BR -ro -ru -sk -sr -sr@ijekavian -sr@ijekavianlatin -sr@latin -sv |
129 |
-th -tr -uk -zh_TW" 34 kB |
130 |
[ebuild R ] kde-base/nepomuk-core-4.12.5:4/4.12 USE="exif pdf |
131 |
(-aqua) -debug -epub -ffmpeg -taglib" 0 kB |
132 |
[ebuild R ] kde-base/katepart-4.12.5:4/4.12 USE="handbook |
133 |
(-aqua) -debug" 0 kB |
134 |
[ebuild R ] kde-base/kdesu-4.12.5:4/4.12 USE="handbook (-aqua) |
135 |
-debug" 0 kB |
136 |
[ebuild R ] net-libs/libproxy-0.4.11-r2 USE="kde -gnome -mono |
137 |
-networkmanager -perl -python -spidermonkey {-test} -webkit" |
138 |
ABI_X86="(64) (-32) (-x32)" PYTHON_TARGETS="python2_7" 0 kB |
139 |
[ebuild R ] kde-base/nepomuk-widgets-4.12.5:4/4.12 USE="(-aqua) |
140 |
-debug" 0 kB |
141 |
[ebuild R ] kde-base/khelpcenter-4.12.5:4/4.12 USE="(-aqua) -debug" 0 kB |
142 |
[ebuild R ] net-libs/glib-networking-2.40.1-r1 USE="gnome |
143 |
libproxy ssl -smartcard {-test}" ABI_X86="(64) (-32) (-x32)" 0 kB |
144 |
[ebuild R ] net-libs/libsoup-2.46.0-r1:2.4 USE="introspection |
145 |
ssl -debug -samba {-test}" ABI_X86="(64) (-32) (-x32)" 0 kB |
146 |
[ebuild R ] media-plugins/gst-plugins-soup-0.10.31-r1:0.10 |
147 |
ABI_X86="(64) (-32) (-x32)" 0 kB |
148 |
[ebuild R ] media-libs/phonon-gstreamer-4.6.3 USE="alsa network |
149 |
-debug" 71 kB |
150 |
|
151 |
Total: 385 packages (385 reinstalls), Size of downloads: 355,030 kB |
152 |
c2RAID6 ~ # |