Reflections on Trusting Trust

Famous Unix and C developer Ken Thompson has a classic article on the concept of “trust” and its ability to be verified by examining the source code, arguing the triviality of moving malware into the compiler toolchain.

While this is true, it never struck me as a practical or realistic threat, though in principle perhaps at a DOD level of espionage you might find someone attempting an attack like this with the compiler or even on the chip level.

My first encounter of this article was as a rebuttal from very skilled developer who argued that open source software isn’t preventing malicious activity by being open for source code audit since the compiler could have the malicious code and you could infect the compiler. However, this seems to me be be an argument as if to say because a lock can be picked we should not lock the deadbolt on our door.

All that aside, I am curious whether Nix style reproducible builds represent a significant hedge against this attack, since this would detect any malicious code in the compiler.

Full-Source Bootstrap

Reproducible builds alone cannot ensure the source-to-binary correspondence: the compiler could contain a backdoor, as demonstrated by Ken Thompson in Reflections on Trusting Trust. To address that, Guix goes further by implementing so-called full-source bootstrap: for the first time, literally every package in the distribution is built from source code, starting from a very small binary seed. This gives an unprecedented level of transparency, allowing code to be audited at all levels, and improving robustness against the “trusting-trust attack” described by Ken Thompson