Thomas Delrue via plug on 1 Nov 2021 13:38:03 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] trojan, ransomware 


On 11/1/21 15:22, Martin Cracauer via plug wrote:
> Syeed Ali via plug wrote on Mon, Nov 01, 2021 at 12:13:03PM -0700:
>> On Mon, 1 Nov 2021 11:21:26 -0400 jeffv via plug 
>> <plug@lists.phillylinux.org> wrote:
>> 
>>> ???Trojan Source??? Bug Threatens the Security of All Code

Yet another 'trademarked bug'...
The short of this thing seems to be "If you can't trust the people
writing the code, then you cannot trust the code" duh

If I understand correctly, this particular issue is not really situated
in any particular compiler. It is really situated in the rest of the
tool-chain that is used by the human developers to visualize the code:
it's a visual reordering, not a 'tricking the compiler'-thing. The
compiler seems to do exactly what it is instructed to do.

The supply chain is not just about binaries and libraries you depend on,
it includes the folks that write your code too...

>> Well shit.
>> 
>> I guess we all knew it was coming.  Compiler complexity and 
>> security was something I had read about a while back.  I can't 
>> recall the title of the essay that spoke about the intentional 
>> introduction bugs within a compiler, but it forever changed my
>> idea of trust in software.
> 
> Do we really need unicode in source code?

Yes, because saying 'no' implies that there's a meaningful distinction
between Unicode and non-Unicode content. And that just makes no sense to
me. It's all just code.

> Serious question.  I don't want to be all English-rulz, but 
> realistically everybody programs in English.

Because maps don't say "there be dragons" outside of the English
speaking world...
English happens to be the Lingua Franca in programming today, tomorrow
it may be Chinese or Hindi, why would (the proverbial) you want to hold
back progress that (native) {Chinese|Hindi} speakers could be making if
they were unchained from having to translate everything in English
first? Who knows what kind of cool language(s) and tools they come up
with in the future.

English may be natural for you and me, but we aren't the majority...

> Also, do Emacs or VIM support unicode control characters in regular 
> source code buffers? I think the article talks about compilers which
>  can use 32 bit characters in source code (in literal strings and in
>  comments).  I don't want that in the first place.

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug