Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #53862

Re: Can I trust downloading Python?

Path csiph.com!usenet.pasdenom.info!gegeweb.org!aioe.org!news.stack.nl!newsfeed.xs4all.nl!newsfeed2.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path <papillion@gmail.com>
X-Original-To python-list@python.org
Delivered-To python-list@mail.python.org
X-Spam-Status OK 0.013
X-Spam-Evidence '*H*': 0.97; '*S*': 0.00; 'say,': 0.05; 'true,': 0.05; 'subject:Python': 0.06; 'compiler': 0.07; 'detect': 0.07; 'elegant': 0.07; 'intel': 0.07; 'level,': 0.07; 'inserted': 0.09; 'logic': 0.09; 'python': 0.11; "wouldn't": 0.14; 'beautifully': 0.16; 'binary,': 0.16; 'charles': 0.16; 'chip': 0.16; 'compiler.': 0.16; 'manner,': 0.16; 'nsa': 0.16; 'planet,': 0.16; 'stepping': 0.16; 'two.': 0.16; 'weapon': 0.16; 'wrote:': 0.18; 'examples': 0.20; '>>>': 0.22; 'hack': 0.22; 'header:User-Agent:1': 0.23; "aren't": 0.24; 'helpful': 0.24; 'mon,': 0.24; 'sort': 0.25; 'compiled': 0.26; 'equivalent': 0.26; 'holds': 0.26; 'nearly': 0.26; 'world,': 0.26; 'header:In-Reply-To:1': 0.27; 'point': 0.28; 'chris': 0.29; 'am,': 0.29; 'code': 0.31; 'bunch': 0.31; "d'aprano": 0.31; 'probability': 0.31; 'sep': 0.31; 'steven': 0.31; 'with,': 0.31; 'critical': 0.32; 'quite': 0.32; 'running': 0.33; 'level.': 0.33; 'maybe': 0.34; "i'd": 0.34; 'could': 0.34; 'possible.': 0.35; 'problem.': 0.35; 'beyond': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'false': 0.36; 'surely': 0.36; 'subject:?': 0.36; 'similar': 0.36; 'example,': 0.37; 'two': 0.37; 'being': 0.38; 'system,': 0.38; 'message- id:@gmail.com': 0.38; 'depends': 0.38; 'to:addr:python-list': 0.38; 'visual': 0.39; 'to:addr:python.org': 0.39; 'even': 0.60; 'easy': 0.60; 'money.': 0.60; 'subject:Can': 0.60; 'truly': 0.60; 'most': 0.60; 'information,': 0.61; "you're": 0.61; 'grab': 0.64; 'become': 0.64; 'different': 0.65; 'phone': 0.66; 'here': 0.66; 'capable': 0.67; "today's": 0.70; 'secret': 0.74; 'bank': 0.76; 'power': 0.76; 'article': 0.77; '*really*': 0.84; 'firing': 0.84; 'nuclear': 0.84; 'technically': 0.84; 'territory': 0.84; 'average': 0.93; 'tough': 0.93; '2013': 0.98
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=iE+QH4xZdKTRFaWC5UCmlfrmyAL0v7/HCdjWJ9XivTM=; b=Ra/r9vys4sIGLzlQu1hM/Yjl3C2RVs5kaObfQggrSgNTi4L/svybJ7SGu1dsSOmGuW IzWIQWLa7Sgs+eEGgUnnNjsEbntMk58sd31RhIT8XuAuRGtpCDvMbVw6Xgcf4/qfyZ45 lub12l7znBsPtGGUzImr+YgmRBN8NKhbo8d0eFnQTn/YVepyC47LFhaOCA2GEumIt+ZN c0C9z7/xjyEg6VKN30A6q9hmyTsJFSwB284GVn337QOCOs41HaWQ5SYY76pi/FlgR8nL Rb4U7IK87SxigxIAL5Qt/f9+q3JKtPMJWJgZL9yR20dTH1zD3CDfGXFhylACdLwuECA3 eH0w==
X-Received by 10.182.114.231 with SMTP id jj7mr10954772obb.33.1378724539878; Mon, 09 Sep 2013 04:02:19 -0700 (PDT)
Date Mon, 09 Sep 2013 06:02:18 -0500
From Anthony Papillion <papillion@gmail.com>
User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version 1.0
To python-list@python.org
Subject Re: Can I trust downloading Python?
References <CAOO2PexT3XagV4u7ScDiZgifZjzapt9cem9W+3Bag1CBrsnMpA@mail.gmail.com> <mailman.150.1378609508.5461.python-list@python.org> <522c6e4e$0$29988$c3e8da3$5496439d@news.astraweb.com> <XsSdnZfDdPBCPbHPnZ2dnUVZ_vidnZ2d@earthlink.com> <mailman.156.1378658357.5461.python-list@python.org> <522d97e1$0$29893$c3e8da3$5496439d@news.astraweb.com>
In-Reply-To <522d97e1$0$29893$c3e8da3$5496439d@news.astraweb.com>
Content-Type text/plain; charset=UTF-8
Content-Transfer-Encoding 7bit
X-BeenThere python-list@python.org
X-Mailman-Version 2.1.15
Precedence list
List-Id General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive <http://mail.python.org/pipermail/python-list/>
List-Post <mailto:python-list@python.org>
List-Help <mailto:python-list-request@python.org?subject=help>
List-Subscribe <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups comp.lang.python
Message-ID <mailman.171.1378724549.5461.python-list@python.org> (permalink)
Lines 43
NNTP-Posting-Host 2001:888:2000:d::a6
X-Trace 1378724549 news.xs4all.nl 15903 [2001:888:2000:d::a6]:54632
X-Complaints-To abuse@xs4all.nl
Xref csiph.com comp.lang.python:53862

Show key headers only | View raw

On 09/09/2013 04:41 AM, Steven D'Aprano wrote:
> On Mon, 09 Sep 2013 02:39:09 +1000, Chris Angelico wrote:
> 
>> On Mon, Sep 9, 2013 at 2:08 AM, Charles Hottel <chottel@earthlink.net>
>> wrote:
>>> I think this article is relevant althought the code examples are not
>>> Python but C:
>>>
>>> http://cm.bell-labs.com/who/ken/trust.html
>>
>> That is quite true, and yet not truly helpful here :) It's like pointing
>> out that we could be being fed false information, and then suggesting
>> that The Matrix is technically possible. Once you start distrusting to
>> that level, you become paranoid to a point that's inappropriate to all
>> but the most critical situations. I'd accept and maybe even recommend
>> that sort of paranoia if you're running a nuclear power station, or an
>> automated weapon system capable of firing missiles that destroy the
>> planet, or a bank that holds everyone's money. For the average Joe,
>> there's no point panicking.
>>
>> Also: That hack works beautifully when there's precisely one C compiler.
>> In today's world, there are many (well known ones like gcc, clang, MS
>> Visual Studio (whatever the compiler from that is called), and a bunch
>> of lesser-known ones as well), and it's pretty easy to just grab a
>> different compiler and build. The chances that your code will be falsely
>> compiled by TWO compilers would have to be infinitesimal, and you
>> needn't stop at two. 
> 
> That logic is dubious. Compilers aren't compromised by chance, and we 
> don't know the a priori probability of any specific compiler being 
> compromised. That depends on the attacker, surely? We know, for example, 
> that the NSA has compromised multiple brands of router, smart phone and 
> similar. If they, or some other similar organisation with equivalent 
> capabilities, were going to attack compilers in the same manner, they 
> surely wouldn't stop at one.

But (and this is stepping into *really* paranoid territory here. But
maybe not beyond the realm of possibility) it would not be so hard to
compromise compilers at the chip level. If the NSA were to strike an
agreement with, say, Intel so that every time a compiler ran on the
system, secret code was discreetly inserted into the binary, it would be
nearly impossible to detect and a very elegant solution to a tough problem.

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Re: Can I trust downloading Python? Michael Torrie <torriem@gmail.com> - 2013-09-07 21:04 -0600
  Re: Can I trust downloading Python? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-09-08 12:32 +0000
    Re: Can I trust downloading Python? "Charles Hottel" <chottel@earthlink.net> - 2013-09-08 12:08 -0400
      Re: Can I trust downloading Python? Chris Angelico <rosuav@gmail.com> - 2013-09-09 02:39 +1000
        Re: Can I trust downloading Python? Steven D'Aprano <steve@pearwood.info> - 2013-09-09 09:41 +0000
          Re: Can I trust downloading Python? Anthony Papillion <papillion@gmail.com> - 2013-09-09 06:02 -0500
          Re: Can I trust downloading Python? Michael Torrie <torriem@gmail.com> - 2013-09-09 10:23 -0600
          Re: Can I trust downloading Python? William Ray Wing <wrw@mac.com> - 2013-09-09 12:40 -0400
          Re: Can I trust downloading Python? Michael Torrie <torriem@gmail.com> - 2013-09-09 10:44 -0600

csiph-web