IRC channel logs
2023-10-26.log
back to list of logs
<muurkha>because, holy shit, he emailed ken and asked him to please send codez <muurkha>and it's in the TUHS tapes Ritchey gave Toomey in 01997 <muurkha>> It’s short! When Ken sent me nih.a and I got it running, my immediate reaction was disbelief at the size of the change: 99 lines of code, plus a 20-line shell script. If you already know how to make a program print itself, the biggest surprise is that there are no surprises! <muurkha>> It’s one thing to say “I know how to do it in theory” and quite another to see how small and straightforward the backdoor is in practice. In particular, hooking into source code reading makes it trivial. Somehow, I’d always imagined some more complex pattern matching on an internal representation in the guts of the compiler, not a textual substitution. Seeing it run, and seeing how tiny <muurkha>it is, really drives home how easy it would be to make a change like this and how important it is to build from trusted sources using trusted tools. <muurkha>> I don’t say any of this to put down Ken’s doing it in the first place: it seems easy because he did it and explained it to us. But it’s still very little code for an extremely serious outcome. <nektro>since i find go and zig easier to grasp i wanted to try an alternative chain route <nektro>this was only a couple days ago but i didnt get far outside starting the initial fork since i havent got mes working yet <nektro>but its something ill be keeping an eye on <lanodan>Another path being possible via GCCGO as well <matrix_bridge><Andrius Štikonas> lanodan: go 1.4 can't build the newest, I made some intermediate version in my gentoo overlay <matrix_bridge><Andrius Štikonas> Though that path won't work for riscv, I guess we need gccgo then <oriansj>muurkha: I guess we can safely assume this class of attack has been in the wild since 1997 then and treat all generated code as suspect. <oriansj>janneke: I think the reason, he didn't mention bootstrappable builds or guix was that he was more concerned about source code published by strangers on the internet than binary blobs. <oriansj>but then it is strange, that code review signing infrastructure isn't mentioned either. <ekaitz>muurkha: I saw the post this morning! really cool stuff <lanodan>RIght, I heard about that but always forgot if they actually went with it, at least it means you can jump from 1.4 to near-latest via go1.14 <matrix_bridge><Andrius Štikonas> It's a pity they don't mention bootstrappable builds <oriansj>theruran: thank you for trying to share ^_^ <oriansj>not everyone is constantly logged into this channel and so they would benefit if they missed out ^_^ <oriansj>the neat compiler's generated C code however just makes me shake my head