LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 08-14-2020, 11:23 AM   #61
resolver
Member
 
Registered: Jun 2020
Posts: 61

Original Poster
Rep: Reputation: Disabled

Quote:
Originally Posted by hazel View Post
The same is true of gcc. Apparently other C compilers can't build it. But I haven't noticed anyone complaining about that.
That's a great point and it bolsters my general argument that good security isn't achieved in this way. It's like feeding ground-up cows to cows, which caused the spread of Mad Cow disease in places like the UK.

But there is a huge difference between GCC and rust: the latter's build script is written to download binaries as if it were a proactive good idea instead of reckless. I haven't tried to build GCC lately, but I don't recall it ever did that.

Should GCC be made to build with the simplest possible C compiler? Yes. It has become appalling bloatware. The more code, the more vulnerabilities.
 
Old 08-14-2020, 11:51 AM   #62
Geist
Member
 
Registered: Jul 2013
Distribution: Slackware 14 / current
Posts: 435

Rep: Reputation: Disabled
Hey, resolver.

What are your thoughts on:
Garlic, stakes, the heart, thresholds of doors, mirrors, rice in bowls, running water, sunny mornings, life energy, bats and strange hairstyles that look like breasts?

Feel any kinship?

Last edited by Geist; 08-14-2020 at 11:54 AM.
 
Old 08-14-2020, 12:34 PM   #63
philanc
Member
 
Registered: Jan 2011
Posts: 258

Rep: Reputation: 226Reputation: 226Reputation: 226
Quote:
Originally Posted by resolver View Post
It should be possible for everyone to rebuild the distro, get hashes for every txz file, and when they compare their hashes they should be identical.

That's the concept of reproducible builds. It's just a simple concept that source tarball X always gives you binary Y.

Open source doesn't mean much if the binaries that are offered online don't match those that you build yourself.
You might be interested in Tavis Ormandy's post: "You donít need reproducible builds"
http://blog.cmpxchg8b.com/2020/07/yo...le-builds.html

It probably doesn't fit your views, but at least it exposes an interesting point of view.
 
5 members found this post helpful.
Old 08-14-2020, 01:59 PM   #64
LuckyCyborg
Member
 
Registered: Mar 2010
Posts: 709

Rep: Reputation: 498Reputation: 498Reputation: 498Reputation: 498Reputation: 498
Quote:
Originally Posted by resolver View Post
That's a great point and it bolsters my general argument that good security isn't achieved in this way. It's like feeding ground-up cows to cows, which caused the spread of Mad Cow disease in places like the UK.

But there is a huge difference between GCC and rust: the latter's build script is written to download binaries as if it were a proactive good idea instead of reckless. I haven't tried to build GCC lately, but I don't recall it ever did that.

Should GCC be made to build with the simplest possible C compiler? Yes. It has become appalling bloatware. The more code, the more vulnerabilities.
Basically, there you accuse Mozilla of shipping binaries with backdoors. Did you have a proof for?

Unless you provide publicly a proof of your claims, I accuse you of being just a troll hired by a major Mozilla competitor to spread FUD.

So, you are payed per post or per campaign? I wonder if it is really worth this trolling...

Last edited by LuckyCyborg; 08-14-2020 at 02:13 PM.
 
1 members found this post helpful.
Old 08-14-2020, 02:56 PM   #65
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,125

Rep: Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988
Quote:
Originally Posted by resolver View Post
In order to compile Rust on a system that doesn't have it, the rust build script x.py insists on downloading binaries. You are expected to be OK with that. But no one is telling users it's happening so that they could make an informed decision.
You are one of those people that begin something new and unknown without RTFM? https://rustc-dev-guide.rust-lang.or...d-and-run.html mentions loud and clear
Code:
The result is that compiling rustc is done in stages:

Stage 0: the stage0 compiler is usually (you can configure x.py to use something else) the current beta rustc compiler and its associated dynamic libraries
(which x.py will download for you). This stage0 compiler is then used only to compile rustbuild, std, and rustc.
In addition you can tell x.py to use your already installed Slackware rust compiler, see https://github.com/rust-lang/rust/bl...trap/README.md
Code:
$ ./configure --enable-local-rebuild
$ ./x.py build --incremental
Or, like I said previously, build a rust cross-compiler and then the stage0 compiler on a platform where a rust compiler already exists. Hopefully you are now on such a platform and it is not Slackware. That would be really nice.

You're welcome.
 
5 members found this post helpful.
Old 08-14-2020, 05:40 PM   #66
bassmadrigal
LQ Guru
 
Registered: Nov 2003
Location: West Jordan, UT, USA
Distribution: Slackware
Posts: 7,319

Rep: Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026
Quote:
Originally Posted by resolver View Post
It should be possible for everyone to rebuild the distro, get hashes for every txz file, and when they compare their hashes they should be identical.

That's the concept of reproducible builds. It's just a simple concept that source tarball X always gives you binary Y.

Open source doesn't mean much if the binaries that are offered online don't match those that you build yourself.

Reproducible builds have the potential to protect against fraud, as when some project says "these are the sources we use" but actually they're patching it with malware because they want to, or some organization is pressuring them to.
A reproducible build is not a requirement of open source. A lot of factors would need to be in place to support reproducible builds and it's not every project's goal to support that. Just because you want it and think it should be possible doesn't mean the distro/project maintainer is keen on supporting it.

As it stands, it's impossible to get reproducible builds on Slackware. That's just not the way Pat develops Slackware. Each update is incremental and built on all the previous updates. The only way you could get close to reproducible builds (which will still have issues due to timestamps), would be by starting with the "last great rebuild" back in 2018 and then build updated packages in the update sets that Pat pushed out to -current. That may still not lead to a comparable result if you happen to compile things in a different order than Pat did which might result in different binaries.

Unless Pat announces his intention to support reproducible builds, you shouldn't expect Slackware to support the concept. I'll repeat myself... reproducible builds are not a requirement of open source. It's just a belief from some that open source software should be able to lead to reproducible builds.

Last edited by bassmadrigal; 08-14-2020 at 05:41 PM.
 
6 members found this post helpful.
Old 08-15-2020, 09:26 AM   #67
resolver
Member
 
Registered: Jun 2020
Posts: 61

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by philanc View Post
You might be interested in Tavis Ormandy's post: "You donít need reproducible builds"
http://blog.cmpxchg8b.com/2020/07/yo...le-builds.html
It probably doesn't fit your views, but at least it exposes an interesting point of view.
Sure I'm open minded. Unlike some of the petty responders in this thread (Geist, Luckycyborg), Tavis behaves like an adult and is an authority.
 
1 members found this post helpful.
Old 08-15-2020, 09:28 AM   #68
resolver
Member
 
Registered: Jun 2020
Posts: 61

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by bassmadrigal View Post
A reproducible build is not a requirement of open source.
That's not an argument against it. And really you're arguing semantics, like saying seatbelts aren't a requirement of driving. It's a weak argument, and you don't come off sounding like an authority, but more like you are a defender of an orthodoxy that can't be defended.

Last edited by resolver; 08-15-2020 at 09:31 AM.
 
Old 08-15-2020, 09:42 AM   #69
resolver
Member
 
Registered: Jun 2020
Posts: 61

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Alien Bob View Post
You are one of those people that begin something new and unknown without RTFM? https://rustc-dev-guide.rust-lang.or...d-and-run.html mentions loud and clear
You're repeatedly misconstruing my position in order to issue your straw man argument and now you're resorting to an ad hominem. Shame on you. According to Rust proponents it cannot be built without a rust compiler. That's the flaw I'm pointing out that allows for backdooring. Sure, a broken rustc and rust library are included with Slackware, but based on everything I'm hearing and the unbalanced way you're arguing, it seems very unlikely that Slackware is built in a safe manner. You're reacting more like someone who was caught doing something wrong.
 
Old 08-15-2020, 09:46 AM   #70
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 4,634
Blog Entries: 12

Rep: Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635
Quote:
Originally Posted by bassmadrigal View Post
A reproducible build is not a requirement of open source. A lot of factors would need to be in place to support reproducible builds and it's not every project's goal to support that.
Depends how you define "reproducible", doesn't it. Revolver seems to be talking about exact reproducibility, i.e. the hash of the built version is always the same. Actually I believe gcc uses that test: the gcc that you build rebuilds itself twice over and checks whether the result is exactly the same (unless you tell it to omit that). But for ordinary users like me, all that is required in most cases is that the functionality be the same. That means having access to the configure and make arguments that were used in a given build, so that you can reproduce them.

Yes, it's "open source" even if you don't have that info. But surely having it makes it more "open" than it would otherwise have been.

Last edited by hazel; 08-15-2020 at 09:48 AM.
 
Old 08-15-2020, 11:24 AM   #71
LuckyCyborg
Member
 
Registered: Mar 2010
Posts: 709

Rep: Reputation: 498Reputation: 498Reputation: 498Reputation: 498Reputation: 498
Quote:
Originally Posted by resolver View Post
You're repeatedly misconstruing my position in order to issue your straw man argument and now you're resorting to an ad hominem. Shame on you. According to Rust proponents it cannot be built without a rust compiler. That's the flaw I'm pointing out that allows for backdooring. Sure, a broken rustc and rust library are included with Slackware, but based on everything I'm hearing and the unbalanced way you're arguing, it seems very unlikely that Slackware is built in a safe manner. You're reacting more like someone who was caught doing something wrong.
In other hand, a GCC compiler cannot be built without a GCC compiler. And a CLang compiler cannot be built without a CLang compiler. Even a FreePascal compiler cannot be built without a FreePascal compiler.

According with your position, this allows for compiler backdooring and certainly no Linux distribution is built in a safe manner, be it Slackware, RHEL, Fedora, OpenSuSE, Debian, Ubuntu or whatever.

Heck, we should not forget the Microsoft compilers, which are shipped as binaries only, then also according to you, this allows for backdooring.

Then, every compiler around the World allows the "backdooring" and everybody is plain stupid, excluding YOU?

We should just shutdown en masses the computers all over World because no one is safe and to join your way, marching and yelling "Hail Resolver!" ???

I for one, I believe that you are nuts.

Last edited by LuckyCyborg; 08-15-2020 at 11:57 AM.
 
Old 08-15-2020, 11:36 AM   #72
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 4,634
Blog Entries: 12

Rep: Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635
Quote:
Originally Posted by LuckyCyborg View Post
In other hand, a GCC compiler cannot be built without a GCC compiler. And a CLang compiler cannot be built without a CLang compiler. Even a FreePascal compiler cannot be built without a FreePascal compiler.
That's true of gcc but not of clang. In LFS, clang is built as an optional part of llvm, using gcc as the compiler.
 
1 members found this post helpful.
Old 08-15-2020, 12:04 PM   #73
LuckyCyborg
Member
 
Registered: Mar 2010
Posts: 709

Rep: Reputation: 498Reputation: 498Reputation: 498Reputation: 498Reputation: 498
Quote:
Originally Posted by hazel View Post
That's true of gcc but not of clang. In LFS, clang is built as an optional part of llvm, using gcc as the compiler.
My bad!

BUT, this does not changes much the credibility of CLang, considering that GCC is already "backdoorable" according with the Security Genius Resolver's teachings, who bothered to share with us his godsend knowledge...

So, the "eventual backdoor" from GCC propagates on CLang at compilation times.

Last edited by LuckyCyborg; 08-15-2020 at 12:16 PM.
 
Old 08-15-2020, 12:49 PM   #74
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,125

Rep: Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988Reputation: 6988
Quote:
Originally Posted by resolver View Post
You're repeatedly misconstruing my position in order to issue your straw man argument and now you're resorting to an ad hominem. Shame on you. According to Rust proponents it cannot be built without a rust compiler. That's the flaw I'm pointing out that allows for backdooring. Sure, a broken rustc and rust library are included with Slackware, but based on everything I'm hearing and the unbalanced way you're arguing, it seems very unlikely that Slackware is built in a safe manner. You're reacting more like someone who was caught doing something wrong.
Yeah yeah. What again was wrong with Slackware's rust compiler and library?

I must note that your argumentation of "based on everything I'm hearing" is exactly how a certain US president likes to bring his arguments, which is not doing you a lot of good here. Instead, please provide solid proof of you claims that can either be substantiated or proven wrong.
 
2 members found this post helpful.
Old 08-15-2020, 12:55 PM   #75
drgibbon
Member
 
Registered: Nov 2014
Distribution: Slackware64 -current
Posts: 764

Rep: Reputation: 504Reputation: 504Reputation: 504Reputation: 504Reputation: 504Reputation: 504
Regarding the substantive part of this thread, what is the actual technical chain of trust when building rust on Slackware? I understand that checksums of all Slackware source files are signed by Slackware, but where is the upstream signing for the rust source itself? Related to that, when rust downloads these "untrusted binaries", I would be very surprised if they weren't verified by pre-signed checksums (as in, upstream signed). Could somebody knowledgable explain how it functions? (and if you don't really know, please don't answer, thank you!).
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Potential Exploit? Potential Backdoor? Strange code in '/usr/android/adb' Package: android-tools-adb slicktrail Linux - Security 1 12-05-2016 05:05 AM
LXer: What The Intelligence Community Doesn't Get: Backdoor For 'The Good Guys' Is Always A Backdoor LXer Syndicated Linux News 0 01-11-2014 06:50 AM
Will a RISK Processor Run on Linux, PA-RISK 8500 at 400MHz CPU IBNETMAN79 Linux - General 2 03-08-2002 07:09 PM
Will a RISK Processor Run Linux, PA-RISK 8500 CPU IBNETMAN79 Linux - Newbie 1 03-08-2002 06:49 PM
Will A RISK CPU Run Linux, HP PA-RISK 8500 CPU IBNETMAN79 General 0 03-08-2002 06:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 09:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration