[squeak-dev] Bootstrapping

Jecel Assumpcao Jr jecel at merlintec.com
Sun Jun 29 19:42:54 UTC 2008

Bert Freudenberg wrote:
> > The C compiler would fit the same definition, by that reasoning.
> No. You need a C compiler, true, but it builds the next C compiler  
> from text sources only, it does not clone itself.

Jim Gettys pointed out Ken Thompson's "Trusting trust" paper when this
thread was started in the olpc/education lists:


Even though you carefully examine the sources for the next version of
the C compiler, you can't know for sure what the current binary of the C
compiler will do with them. It can insert code not seen in the sources.

The solution is to use more than one C compiler. User your current gcc
binary to compile the sources for lcc. Then use the resulting binary to
compile the sources for gcc. A Thompson-style Trojan that can handle
this situation is still possible, but exponentially more complex than
one designed for a single set of sources.

One equivalent in Squeak would be to have image manipulation tools
written in some other language, but a simpler alternative would be to
port the Smalltalk based tools we are already using to VisualWorks or
(better yet) GNU Smalltalk. But since I don't see anyone bothering to do
the gcc->lcc->gcc dance I don't see why Squeak should be held to such a
high standard.

The binary blob thing is a normal problem for Linux distributions. If I
give you the complete sources for some C application but also include
some PNG files for button images and a splash screen, it would take
about as much effort for me to hide nasty stuff in these as it would to
do the same in a Squeak image. If you were aware that I had done this
you would easily find the place in the C code where I was using the
images as I shouldn't, but otherwise I bet any number of people could
look right at the spot and not notice the evil intent.

In the end it is a matter of trusting some people, as Ken pointed out in
his paper. There is not way for me to know what the Intel or AMD people
put in the processors I am using. I might get the full sources for some
Linux system but don't have enough seconds left in my life to read it
all myself (I did it in 1994 when it was orders of magnitude smaller).
So I have to trust my processor company and I have to trust my software
suppliers. Then only alternative is to build my own processor from TTLs
and do all the software:


-- Jecel

More information about the Squeak-dev mailing list