Re: Can I trust downloading Python?

Path	csiph.com!usenet.pasdenom.info!aioe.org!news.stack.nl!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path	<wrw@mac.com>
X-Original-To	python-list@python.org
Delivered-To	python-list@mail.python.org
X-Spam-Status	OK 0.028
X-Spam-Evidence	'H': 0.94; 'S': 0.00; 'say,': 0.05; 'subject:Python': 0.06; 'compiler': 0.07; 'detect': 0.07; 'elegant': 0.07; 'intel': 0.07; 'inserted': 0.09; 'insertion': 0.09; 'cc:addr:python-list': 0.11; "wouldn't": 0.14; 'binary,': 0.16; 'chip': 0.16; 'nsa': 0.16; 'received:mac.com': 0.16; 'stepping': 0.16; 'wrote:': 0.18; 'received:10.0.1': 0.19; 'cc:addr:python.org': 0.22; 'cc:21': 0.23; 'certainly': 0.24; 'cc:no real name:20': 0.24; 'nearly': 0.26; 'michael': 0.29; 'am,': 0.29; "doesn't": 0.30; 'originally': 0.30; 'url:mailman': 0.30; 'code': 0.31; 'sep': 0.31; 'with,': 0.31; 'quite': 0.32; 'url:python': 0.33; 'level.': 0.33; 'maybe': 0.34; "i'd": 0.34; 'could': 0.34; 'common': 0.35; 'problem.': 0.35; 'beyond': 0.35; 'but': 0.35; 'there': 0.35; 'really': 0.36; '(we': 0.36; 'sequence': 0.36; 'url:listinfo': 0.36; 'charset:us-ascii': 0.36; 'possible': 0.36; 'subject:?': 0.36; 'received:10.0': 0.36; 'url:org': 0.36; 'level': 0.37; 'received:10': 0.37; 'being': 0.38; 'system,': 0.38; 'received:17': 0.38; 'same.': 0.38; 'pm,': 0.38; 'url:mail': 0.40; 'subject:Can': 0.60; 'gone': 0.61; 'hardware': 0.61; 'skip:n 10': 0.64; 'to:addr:gmail.com': 0.65; 'computers': 0.72; 'secret': 0.74; 'really': 0.84; 'header:In- reply-to:1': 0.84; 'recognition': 0.84; 'territory': 0.84; 'territory,': 0.84; '2013,': 0.91; 'execution,': 0.91; 'ago!': 0.93; 'tough': 0.93
X-Proofpoint-Virus-Version	vendor=fsecure engine=2.50.10432:5.10.8794,1.0.431,0.0.0000 definitions=2013-09-09_06:2013-09-09,2013-09-09,1970-01-01 signatures=0
X-Proofpoint-Spam-Details	rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1309090084
Content-type	text/plain; charset=us-ascii
MIME-version	1.0 (Mac OS X Mail 6.5 $1508$)
Subject	Re: Can I trust downloading Python?
From	William Ray Wing <wrw@mac.com>
In-reply-to	<522DF5FA.5090202@gmail.com>
Date	Mon, 09 Sep 2013 12:40:45 -0400
Content-transfer-encoding	quoted-printable
References	<CAOO2PexT3XagV4u7ScDiZgifZjzapt9cem9W+3Bag1CBrsnMpA@mail.gmail.com> <mailman.150.1378609508.5461.python-list@python.org> <522c6e4e$0$29988$c3e8da3$5496439d@news.astraweb.com> <XsSdnZfDdPBCPbHPnZ2dnUVZ_vidnZ2d@earthlink.com> <mailman.156.1378658357.5461.python-list@python.org> <522d97e1$0$29893$c3e8da3$5496439d@news.astraweb.com> <522DAABA.6040307@gmail.com> <522DF5FA.5090202@gmail.com>
To	Michael Torrie <torriem@gmail.com>
X-Mailer	Apple Mail (2.1508)
Cc	python-list@python.org, William Ray Wing <wrw@mac.com>
X-BeenThere	python-list@python.org
X-Mailman-Version	2.1.15
Precedence	list
List-Id	General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe	<https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive	<http://mail.python.org/pipermail/python-list/>
List-Post	<mailto:python-list@python.org>
List-Help	<mailto:python-list-request@python.org?subject=help>
List-Subscribe	<https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups	comp.lang.python
Message-ID	<mailman.185.1378744855.5461.python-list@python.org> (permalink)
Lines	30
NNTP-Posting-Host	2001:888:2000:d::a6
X-Trace	1378744855 news.xs4all.nl 15939 [2001:888:2000:d::a6]:52010
X-Complaints-To	abuse@xs4all.nl
Xref	csiph.com comp.lang.python:53878

Show key headers only | View raw

On Sep 9, 2013, at 12:23 PM, Michael Torrie <torriem@gmail.com> wrote:

> On 09/09/2013 05:02 AM, Anthony Papillion wrote:
>> But (and this is stepping into *really* paranoid territory here. But
>> maybe not beyond the realm of possibility) it would not be so hard to
>> compromise compilers at the chip level. If the NSA were to strike an
>> agreement with, say, Intel so that every time a compiler ran on the
>> system, secret code was discreetly inserted into the binary, it would be
>> nearly impossible to detect and a very elegant solution to a tough problem.
> 
> Indeed it is really paranoid territory, but now doesn't seem quite as
> far fetched as one originally thought a few years ago!  We'll still
> trust (we have to; we have no other choice), but the level of trust in
> computers in general has certainly gone down a notch and will never
> quite be the same.
> 
> 
> -- 
> https://mail.python.org/mailman/listinfo/python-list

I think that is pretty far fetched.  It requires recognition that a compiler is being compiled.  I'd be REALLY surprised if there were a unique sequence of hardware instructions that was common across every possible compiler (current and future) and which wouldn't (couldn't) exist in arbitrary non-compiller execution, which could be used to trigger insertion of a backdoor.

-Bill

Thread

Re: Can I trust downloading Python? Michael Torrie <torriem@gmail.com> - 2013-09-07 21:04 -0600
  Re: Can I trust downloading Python? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-09-08 12:32 +0000
    Re: Can I trust downloading Python? "Charles Hottel" <chottel@earthlink.net> - 2013-09-08 12:08 -0400
      Re: Can I trust downloading Python? Chris Angelico <rosuav@gmail.com> - 2013-09-09 02:39 +1000
        Re: Can I trust downloading Python? Steven D'Aprano <steve@pearwood.info> - 2013-09-09 09:41 +0000
          Re: Can I trust downloading Python? Anthony Papillion <papillion@gmail.com> - 2013-09-09 06:02 -0500
          Re: Can I trust downloading Python? Michael Torrie <torriem@gmail.com> - 2013-09-09 10:23 -0600
          Re: Can I trust downloading Python? William Ray Wing <wrw@mac.com> - 2013-09-09 12:40 -0400
          Re: Can I trust downloading Python? Michael Torrie <torriem@gmail.com> - 2013-09-09 10:44 -0600

csiph-web