Call for real-world scenarios prevented by RB practices
Jisook Moon
moonj.kr at gmail.com
Fri Mar 25 04:39:12 UTC 2022
Please unsubscribe my email, thank you.
On Thu, Mar 24, 2022 at 9:00 PM John Gilmore <gnu at toad.com> wrote:
> On 22/03/2022 13.46, Chris Lamb wrote:
> > Just wondering if anyone on this list is aware of any real-world
> > instances where RB practices have made a difference and flagged
> > something legitimately "bad"?
>
> The GNU compilers are already tested for complete reproducibility. We
> at Cygnus Support built that infrastructure back in the 1990s, when we
> made gcc into a cross-compiler (compiling on any architecture + OS,
> targeting any other). We built the Deja Gnu test harness, and some
> compiler/assembler/linker test suites, that rebuilt not just our own
> tools, but also a test suite with hundreds or thousands of programs. We
> compared their binaries until they were bit-for-bit identical when built
> on many different host machines of different architectures.
>
> To make it work, we had to fix many bugs and misfeatures, including even
> some high-level design bugs, like object file formats that demanded a
> timestamp (we decided that 0 was a fine timestamp). A few of those bugs
> involved generating different but working instruction sequences -- I
> recall fixing one that depended on an uninitialized local variable.
>
> We never found any malicious code in the GNU tools during that process,
> just poorly debugged code and unportable code. I don't know whether
> that's because nobody malevolent actually knew what a lever they would
> have had by infesting our code, or whether we really weren't as
> important as we thought we were :-/. I was still manually making and
> reading the diff between the previous release and each new release, to
> make sure that no change that I didn't recognize would slip through. It
> was a pretty heady feeling to make a GNU tool release, send an email to
> info-gnu, and have thousands of people running it in the next few days.
> We took the responsibility seriously.
>
> (Caveat: We weren't shipping binaries, except to Cygnus customers.
> Maliciously patched binaries are what RB is designed to prevent.)
>
> John
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20220324/ea4de04b/attachment.htm>
More information about the rb-general
mailing list