Slashdot Mirror
Are You Sure This Is the Source Code?
oever writes "Software freedom is an interesting concept, but being able to study the source code is useless unless you are certain that the binary you are running corresponds to the alleged source code. It should be possible to recreate the exact binary from the source code. A simple analysis shows that this is very hard in practice, severely limiting the whole point of running free software."
The guy who submitted that article is the person who wrote it. Awesome "work", editors.
To borrow from The Watchmen:
Who compiles the compiler?
Your attribution isn't just a little off, it's way off.
Try Iuvenalis, around 200 AD.
There are very talented people that can hide things in only a few lines of code. See http://ioccc.org/ for some examples that will make your skin crawl.
Do not look at laser with remaining good eye.
Yeah. Unfortunately, the issues he presents here DO make it more difficult to prove that someone is providing a binary that could NOT have possibly originated from the provided source code.
As an example, the kernel source initially released for the Samsung GT-N8013 (USA Wifi Note 10.1) was not what was used to build the binaries in question.
The "difficult to prove but obvious" - Any kernel built from the provided source had a massively broken wifi driver that would completely stop functioning, usually within 5-10 minutes, requiring the module to be removed and reinserted. Pulling the wifi module source from a different Samsung tarball (such as a GT-I9300 release) would result in a working driver. But how do you prove the source provided is correct?
In the case of the N8013, we were lucky - Samsung changed a bunch of debug printk()s slightly in their released binary. Small stuff, not functionally relevant, such as typo fixes and capitalization differences in their touchscreen driver's debug printk()s - but at least provable to be different.
So we could prove that the kernels didn't match, but couldn't necessarily prove that the biggest functional problem was due to a source difference.
We asked Samsung to provide source that corresponded to the UEALGB build for that device, and their response was, "That build is a leak and hence we are not obligated to provide source for it." Effectively admitting that the provided source was not meeting the requirements imposed by the GPL for that build, and then claiming that the software build preinstalled on every device sold in the USA for the first 1-2 months after launch was a "leak" and thus they didn't have to provide source for it.
Needless to say, between that and other situations, that was my last Samsung device.
retrorocket.o not found, launch anyway?
But unless and until he reads AND UNDERSTANDS every line of the source he is
always going to have to be trusting somebody somewhere.
Even if he reads and undertands every line of the source, he's still trusting someone. He has to read and understand every line of the source code of the complier he is using, and the compiler that compiled that compiler, and so on.
Reflections on trusting trust is almost 30 years old now. It should be well known.
Give me Classic Slashdot or give me death!
For true malice there's also The Underhanded C Contest.
From their home page: "The goal of the contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil."
It always takes longer than you expect, even when you take into account Hofstadter's Law. --Hofstadter's Law