dgchultaeizJun 1
Every year, software development becomes more industrialized.
More packages. More dependencies. More automation.
And, inevitably, more blind trust.
A recent malicious VS Code extension reminded us of something Ken Thompson warned about more than forty years ago:
trusting our tools is unavoidable, but it is also dangerous.
Many organizations still focus on protecting the perimeter while introducing third-party code and dependencies with a level of trust that would be unacceptable anywhere else in their security architecture.
The attacker no longer needs to break the door.
Sometimes all they need is patience.
Anderson understood it in 1972.
Thompson warned us in 1984.
The names changed.
The pattern didn't.
#CyberSecurity #AppSec #SupplyChainSecurity #TrustingTrust
Show threadJannekeJan 25

@uutils @fosdem
Yes! The Full-Source Bootstrap, as pioneered by #Guix (https://guix.gnu.org/es/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/), to address the widely ignored #TrustingTrust problem is being ported to/implemented by @nixos_org

It would be amazing to see it in @debian / @ubuntu too and I'm a bit puzzled about what the introduction of Rust might do to what we have accomplished?

The Full-Source Bootstrap: Building from source all the way down — 2023 — Blog — GNU Guix

Artículos sobre GNU Guix.

AnisseDec 16, 2025

Interesting tidbit about Rust as used in the Android OS: to prevent the trusting trust attack, and not rely on rust-lang.org build, they bootstrapped rustc 1.19 with mrustc (0.8.0), and then built all following rustc versions with their previous version.

https://cs.android.com/android/platform/superproject/main/+/main:prebuilts/rust/bootstrap/README.md

#RustLang #Android #Toolchains #Bootstrapping #TrustingTrust

Hacker NewsNov 16, 2025

Running the "Reflections on Trusting Trust" Compiler

https://research.swtch.com/nih

#HackerNews #Running #Reflections #on #Trusting #Trust #Compiler #TrustingTrust #CompilerResearch #SoftwareDevelopment #Security

research!rsc: Running the “Reflections on Trusting Trust” Compiler

Show threadStefan GastOct 27, 2025

@filippo Meanwhile, bootstrapping a current OpenJDK involves compiling multiple ancient packages (each with its own set of outdated dependencies, of course) and then going up all the way from Java 7, version by version.

@stikonas has described this tedious process and developed some ebuilds for Gentoo here: https://git.stikonas.eu/andrius/gentoo-bootstrap

This also applies to Rust in a way, but at least it's not as bad there – not yet, as the old versions might eventually succumb to bitrot, too.

Please, dear programming language community, can we do better at this? For resilience, for reproducibility, for reliability, for portability and for preservation?

#bootstrappablebuilds #bootstrapping #reproduciblebuilds #trustingtrust #gentoo #openjdk #rust

gentoo-bootstrap

Gentoo overlay to bootstrap OpenJDK/Rust/Go

Forgejo: Beyond coding. We Forge.
Show threadJannekeOct 11, 2025

Edit: Added &c=my-comment to the URL,
please like my comment, or otherwise help me to reach LaurieWired? Boost=❤️ #askfedi

@regtur @reproducible_builds @guix @ekaitz_zarraga
@nlnet
@fsf
@fsfe
@gnutools
Seems #fedi didn't do their thing just yet, so I logged into the Evil Empire and added a comment. Not sure if that will do any good, tho. I guess maybe one or two of you who read this, and still have a Google account, could like my comment, but there are already comments with > 3K likes, so yeah.

Also, no idea how to reach them; they're talking about trust, and then only seem to on Big Tech platforms like TPPKAB (the platform previously known as birdsite), instagram, etc.

<https://www.youtube.com/watch?v=Fu3laL5VYdM&lc=UgxAf-w-tTYM5syB3x94AaABAg>
#bootstrappablebuilds #guix #gnu #reproducibleBuilds #supplyChainSecurity #trustingTrust

The Original Sin of Computing...that no one can fix

YouTube
Show threadJannekeOct 10, 2025

@regtur
Wait what? #GNU #Mes isn't being mentioned? Not even in the comments?
Fediverse do your thing!

cc: @lauriewired @reproducible_builds
@guix
@ekaitz_zarraga
@nlnet #bootstrappable
#bootstrappablebuilds
#guix
#trustingtrust

fraggleJul 12, 2025
In 1984, Ken Thompson (co-creator of Unix) revealed a mind-bending idea: a compiler that could inject a backdoor into any program it compiled — even if the source code was clean. Worse, the compiler itself could be compiled from a backdoored compiler, making the malicious code invisible in both the program and its build tools. His lecture, “Reflections on Trusting Trust,” remains one of the most important warnings in software security history.
#KenThompson #TrustingTrust #SoftwareSecurity #HackingLore #CompilerHacks
Show threadLisPiMar 14, 2025
@mildsunrise @jhominal @natty Oh, it had been made into a blogpost, not just an issue list post (https://issues.guix.gnu.org/74609), here it is: https://guix.gnu.org/blog/2024/adding-a-fully-bootstrapped-mono/

I was misremembering a bit too, it seems the attempt was completed.

Keyword: Trusting Trust

#TrustingTrust #CSharp #Mono
[PATCH] Adding a fully-bootstrapped mono

Wyatt (🏳️‍⚧️♀?)Feb 14, 2024
One of the most pleasant surprises at my last job was when my boss (religious windows user in IT dept) brought up Ken Thompson's Reflections on Trusting Trust paper. Not that he knew who Ken Thompson was.
https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
#trustingtrust