Problems: Fewer alternative C++ compilers, so harder to test against 'Trusting Trust' attack

Problems: Fewer alternative C++ compilers, so harder to test against 'Trusting Trust' attack

Posted Jun 18, 2008 19:12 UTC (Wed) by pynm0001 (guest, #18379)
In reply to: Problems: Fewer alternative C++ compilers, so harder to test against 'Trusting Trust' attack by dwheeler
Parent article: Converting GCC to C++

Um, fair enough, but this is like using autoconf so that your program can build on 10 year old AIX machines... it's optimizing for a problem that only precious few people care about, and the other 99% of people who could benefit would instead have to suffer. Which is why we have the explosion in new build systems... :-/

Those who are really worried that Ubuntu has corrupted their g++ binaries can use pcc to compile an older version of gcc I suppose.

But you leave out one thing. Can an ANSI C compiler build gcc? I'm pretty sure that gcc requires gcc-extensions to C to build at this point anyways so you already need to trust gcc if you use it as your compiler. In addition if you look at Ian's slides on how things could look I would claim that a C++ implementation would at least be easier to perform code review on, and even static analysis.

Actually you could simply build a current g++ and place it on read-only media and use it to build the new C++-based gcc. If it's different from the installed version then perhaps there has been the malware code slipped into the compiler as described in Thompson's article. But I don't see how simply having the compiler in C helps in this case. You still need a "safe" version of gcc, and that already compiles C++.

---

(Log in to post comments)

> Can an ANSI C compiler build gcc?

Yes.  Indeed, until a few years ago, GCC could be compiled with pre-ANSI compilers.
Thankfully, functions now have prototypes.

On the trusting trust issue, there's nothing to stop you starting with your own trusted C
compiler, compiling gcc/g++ 4.3, then using those to compile gcc/g++ 5.0.