Shamar @Shamar@qoto.org

@natecull

What happened to "Cortana"?
What is "rampancy"?

@loweel

La differenza fondamentale è che la probabilità di scoprire una vulnerabilità in un sorgente è nettamente superiore a quella di scoprirla in un binario.

Naturalmente questa probabilità si riduce progressivamente all'aumentare della complessità del codice, ma fare di "tutta la birra un brodo" è, come già detto, miope.

Giusto per fare un esempio, OpenBSD è più sicuro di Windows o Linux perché espone, nella configurazione di default, meno vulnerabilità.

E' sicuro in assoluto e contro qualsiasi attaccante?

No, ovviamente.

Ma è _più_ sicuro di altri contro moltissimi attaccanti.

Hai ragione: la sicurezza di un sorgente non può essere data per scontata.

Ed una volta verificata, non puoi dare per scontata la sicurezza del compilatore e dunque del binario.
Cioè hai un sistema più sicuro (hai rimosso le vulnerabilità del sorgente) ma non sicuro in assoluto.

Su Linux, c'è chi sta lavorando proprio a minimizzare il grafo di dipendenze e rendere riproducibile la build a partire dai soli sorgenti:

https://www.joyofsource.com/we-did-it.html
https://github.com/fosslinux/live-bootstrap

Ma naturalmente non sono mai le persone che sono state convinte che sia impossibile, a far progredire il mondo. 😉

@miriamgreco@mastodon.uno @tassoman @fatualux

@miriamgreco@mastodon.uno

Purtroppo stai facendo confusione.

Sui sistemi Linux quella backdoor va installata scientemente da qualcuno che, in qualche modo, ha ottenuto accesso al sistema.

Le backdoor in Windows (ed in generale nei prodotti Microsoft) sono parte del sistema operativo stesso.

Qui trovi quelle scoperte nel solo 2021: https://www.cvedetails.com/vulnerability-list.php?vendor_id=26&product_id=&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=8&cvssscoremax=0&year=2021&month=0&cweid=0&order=1&trc=909&sha=2648b74d1c319051fa0ae719a0ab19d610cab150

@miriamgreco@mastodon.uno

Certo, questa è una ottima obbiezione.

Quando ho iniziato il porting di #GCC su #Jehanne, non immaginavo assolutamente che avrebbe di lì a poco abbandonato il progetto #GNU. Né ero consapevole che la Steering Committee [1] fosse composta in ampia prevalenza da dipendenti di aziende con contratti miliardari con il DoD americano (9 membri su 13).

Perché potessi accorgermene è stato necessario che togliessero #RMS su richiesta di un dipendente di #Facebook.

D'altronde la questione è seria e ben nota sin dai tempi di "Reflections on Trusting Trust" [2] e molti ci stanno lavorando da anni, attaccando il problema da vari fronti.

Detto questo rassegnarsi, collettivamente, al fatalismo del "eh ma tanto è tutto insicuro" è ciò che lascia molti esposti ad innumerevoli vulnerabilità che potrebbero essere facilmente evitate.

____

[1] https://gcc.gnu.org/steering.html

[2] https://cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

@tassoman @loweel @fatualux

@tassoman

Dipende dalla birra.

Certe tradiscono la tua fiducia, certe l'abusano, certe sono deludenti...

Insomma, non facciamo di tutte le birre un brodo! 🤣

@miriamgreco@mastodon.uno @loweel @fatualux

@ekaitz_zarraga As you know, I always think hackers should follow their own curiosity.
So there's nothing wrong studying GCC. There's even nothing wrong in using or hacking GCC.

I just don't feel safe by DEPENDING on GCC.

In case you are going to write about TCC internals, please don't forget to send me a link, though.
____

I don't remember much about target description macros, but started from here https://wiki.osdev.org/OS_Specific_Toolchain

I remember that learning about Spec Files was a turning point that raised my productivity in the port https://gcc.gnu.org/onlinedocs/gcc/Spec-Files.html

@ekaitz_zarraga Not an expert at all, but GCC made me crazy when I had to port it to #Jehanne.

Also, since the removal of #RMS from the #GCC SteeringCommittee I realized that its development is mostly in the hand of large US corporations with large DoD military contracts.

I mean, what can go wrong?

I started to port Jehanne to TCC but it's not that easy (in particular for the kernel parts) and after some days on that I moved to other stuffs. For now.

GCC is a cool tool(set).

Unfortunately, they forgot (or betrayed) the #GNU in their name.

@roboneko

You seem pretty confused.
(assuming you are not just trolling).

Maybe if you unroll the thread you might get the point.

Or maybe not.

Here a short recap:

1) @fsf points out that #Copyright law slows down human progress by comparing software to Pi

2) @agntsmith points out that mathematical constants are excluded by copyright protection

3) I noted that any software (or content or data) can be encoded as a mathematical constant basically because they are just notational conventions and proved my point by recalling the famous case of Carmody illegal primes.

4) @p2hang argued that I should get an education because I do not know that constants need mathematical proofs. When asked about a proof for the value of 1, he tried a call to authority by telling that Principia Mathematica contained such proof.

5) I opened Principia Mathematica and guess what? 1 is DEFINED, not proved, at page 36. So I deduced that he got an education but it didn't worked as he didn't understood what he studied (so much to not being able to tell a definition from a proof).

Finally you came arguing that judges consider intent (true) that not every number can be a constant (false), that the illegal primes are actually illegal (unknown, as no one even tried to open such legal pandora box) and several other confused argument I don't bother to repeat here.

And I didn't even mentioned the Curry-Howard equivalence!

Guess what?

Every single program out there is a theorem too. And theorem are not protected by copyright or patents.

So sure, maybe I need to get an education. But please tell me where you got yours so that I can avoid your misinformed arrogance.

😘

@p2hang

Just in case anybody would ponder if you know what you are talking about, here is page 36 of Principia Mathematica, where 1 is defined, without any proof whatsoever.

Maybe I need to "get an education" ¹ but please, tell me where you got your so that I won't repeat your waste of money and time. 😉

___

1) as you suggested here: https://chungus.cc/notice/AHQjqzgCD9TMBwzoWW

@p2hang

... and yet Phil Carmody is still free and his prime encoding #DeCSS was published.

Sure, @roboneko, you are right about the fact that a Judge consider actual intention, but as much as he want to praise the most powerful, he still has to follow the Law (at least formally).

And sure, I'm not suggesting to actually do anything illegal.

I'm just arguing that any software (or any content) CAN be encoded as a mathematical constant.

You just have to define it.

Now you say that by defining "mathematical constant" as "a convenient notation to precisely convey a useful meaning", I'm not using the term properly.

Let's assume you are right.

So what's the definition "anyone use"?

@s8n

What do you mean?

@p2hang @roboneko

@roboneko

Uhm... no.

Constants are _defined_.

Just as an example, (since @p2hang mentioned this book), attached you can read an extract from page 36 of #PrincipiaMathematica¹ where the number one is _defined_.

Mathematicians define mathematical constants all the time as they need them in their theorems.

It has nothing to do with their "size" (what is a "huge number" btw? huge compared to what?) and all to do with notational convenience.

As notations they are communication tools (just like the rest of Mathematics, to be fair²) and their usefulness depends on their arbitrary meaning, the information they convey.

So if you want to distribute a software you do not have the right to distribute, all you have to do is to express it as a (somewhat interesting) number and you are fine.

Here a constructive proof of this (quite obvious fact): http://fatphil.org/maths/illegal.html

Then sure, some constants can be expressed in several ways and you need to prove that each of them are equivalent.
That's the case of Pi's decimal expression, for example.

But confusing the process of defining constants and the process of expressing their value in a particular form shows that you do NOT understands mathematics at all.
___

1) https://en.m.wikipedia.org/wiki/Principia_Mathematica

2) http://www.tesio.it/2018/10/11/math-science-and-technology.html

@p2hang

😘

Dude, you are confusing the definition of a constant with its numerical expression (likely in base 10).

I argued, since the beginning, that any software can be encoded as a mathematical constant.

That is: for any software, you can define a mathematical constant whose binary representation correspond to its executable (or its UTF-8 source code, or...).

Just like you can define 1 to be... 1¹.

As for spelling, well... thanks God I'm not a native English speaker!

English is just one of the languages I can speak and likely not my favourite one!

Sure, I'm sorry for your pain, but trust me: USA caused (and cause) much MUCH more pain around the world!
___
¹ yet, to be honest, I would be eager to learn about the proof that help uncover "the value of one"!

@p2hang

Tell me you pretend to know something while you do not understand it at all¹.

Unfortunately you got an education.
And it didn't worked at all.

Maybe... get a culture²? 😉

____

1) Mathematical constants are nothing more than useful cultural conventions, see for example https://tauday.com/tau-manifesto

2) http://fatphil.org/maths/illegal.html

@agntsmith

Any software (or content) can be encoded as a mathematical constant.

@fsf