Re: Compiling gnat into gcc-2.8.0

[dewar@merv.cs.nyu.edu (Robert Dewar)]

Markus says

<<Paranoids will point out that this can be seen as a security problem
of gnat as it prevents source code review of the compiler. Read
Ken Thompson's legendary "Reflections on trusting trust" ACM
Turing award lecture if you do not understand why this is so:

>>

Amusing, but inaccurate. There are many ways to review the code of GNAT
at this level of paranoia. For example, you can use objdump to look at 
the generated code interspersed with source. Another path would be to
entirely reconstruct the bootstrap path of GNAT from version 1.00 which
was bootstrapped with Alsys Ada.

Of course Alsys Ada, being a black box proprietary product, as are almost
all other Ada compilers, is quite inpenetrable to such validation, and
all Ken Thompson's entertaining constructions show is that a compiler
that is distributed in source form, by going to really heroic methods,
could manage to duplicate the same kind of duplicity that is absolutely
trivial to install in a proprietary product!

Of course, going back to the original, the idea that source code review
is ever adequate on its own if you are operating at this level of distrust
is completely bogus. Never mind far-fetched fantasy's of the KT style,
a more realistic concern is whether there is some accidental case in which
the compiler generates incorrect code for itself, and that due to some
horrible stroke of bad luck, this incorrect code is somehow risky.

If you are indeed operating at this level of paranoia, then the only
resort for any program is to review the object code line by line. The
fact that with GNAT you have the sources makes this possible, though
certainly expensive, and unlikely to be worthwhile.

Once again, with a proprietary product it would be out of the question to
review hundreds of thousands of lines of object code without reference to
the source code, so the free software approach has significant advantages,
even in this kind of environment.

Actually, probably if you even wanted to *consider* a validation at this
level it would be easier to modify GNAT so it could be compiled by some
other Ada 95 compiler, if for some reason that increases your confidence.
I noted this was a very hard task, but it is easy compared to doing line
by line object verification of a complete compiler.

It is interesting that I have occasionally run into a piece of FUD that
holds that somehow software is more susceptible to subversion if it is
available in source form.

There is of course no technical basis for such a claim. It probably stems
from the concern that if the sources are available, then anyone can modify
them. This is of course true, and there is no doubt that getting a version
of GNAT that has been modified by person or persons unknown, or may have
been modified in such a way, is potentially risky. We always warn people
that one of the issues in using the public version is that there is no
guarantee that we can provide that what you get corresponds to what we
initially distributed. It is most unlikely that anyone would have tampered
with the public distribution, but it is entirely out of our control.

One of the things that our customers obtain by buying support is the knowledge
that they are getting exactly the version that we guarantee matches our
very carefully controlled sources. This is of course the same guarantee that
you get when you buy a proprietary product. In this respect there is very
little difference between buying GNAT support and buying a proprietary
compiler.

The difference comes in to play when using the unsupported public version.
I am occasionally surprised to find serious projects using this version. For
my own taste I would never use unsupported software for any serious project
(by the way, I regard GNAT development itself as a serious project, and I
never permit any unsupported freeware or shareware on my own machine :-)
But of course this is a decision that an individual project needs to make
for itself.

Robert Dewar
Ada Core Technologies