GNU Mes rebuild is definitely an application of DDC!

David A. Wheeler dwheeler at dwheeler.com
Mon Oct 12 22:23:47 UTC 2020


All -

In the discussion today I was pointed to this awesome post about creating a reproducible bootstrap of the GNU Mes C compiler:
https://reproducible-builds.org/news/2019/12/21/reproducible-bootstrap-of-mes-c-compiler/

I was asked if this counted as an application of Diverse Double-Compiling (DDC). Unless I’m grossly misunderstanding something, that is *definitely* an application of DDC! Different compilers are being used with the same source code in a special way to verify that the results are bit-for-bit identical. That’s what DDC is all about. The compilers being used in the DDC process aren’t as diverse as one might like, so there are limits to the result (as discussed in section 6 of my dissertation). But that’s definitely the real deal. In fact, it shows how DDC & reproducible builds can work together to provide a very strong countermeasure against the trusting trust attack & other kinds of maliciously subverted executables.

I wrote a summary explaining it here:
https://dwheeler.com/trusting-trust/#real-world

If I missed anything, or if anything is wrong, let me know. But I think it’s worth noting that this really is an application of DDC to gain confidence in a reproducible bootstrap.

Thanks so much!

--- David A. Wheeler



More information about the rb-general mailing list