Metaprogramming and Free Availability of Sources

Rafael Kaufmann rnedal@olimpo.com.br
Tue, 29 Jun 1999 23:35:43 -0300


iepos@tunes.org wrote:
> 
> > On the other hand, modern-day
> > software is very difficult to reverse-engineer (well, anyways); compiled
> > code is a black box of sort for 99.9% of the people who will ever use
> > it. Therefore, the users should be allowed to see what the software
> 
> i might add, for source code, it is about 98%.

That's true; the difference is more of a conceptual one - source code is
intended to be used by /humans/ - that is, if programmers qualify, and
if you're not programming in INTERCAL :)

> 
> > actually /does/, so that they can judge for themselves the quality of
> > the software and decide whether they want to use it or not. Without that
> 
> this is silly. people don't look at the source code to open-source programs
> before they run them to check to see if they're high-quality or not. the
> best way to tell if a program is high-quality is by running it (you don't
> need the source code for that).

I didn't express myself correctly. What I meant (and what RMS has
pointed out over and over) is that Free Software /allows/ the user to
see or change the source, if he wants to or if he deems it necessary.
E.g., a user can fix bugs for himself, can modify functionality, etc.

> 
> > kind of requirement, incidents can happen... like the Ken
> > Thompson/original UNIX CC fiasco (see the Jargon File for details).
> >
> 
> umm... where in the Jargon File is that?

Let me look it up... ah, here it is - under _back door_
(http://www.tuxedo.org/~esr/jargon/html/entry/back-door.html). For the
web-less or lazy, here it goes:

"Historically, back doors have often lurked in systems longer than
anyone expected or planned, and a few have become widely known. Ken
Thompson's 1983 Turing Award lecture to the ACM admitted the existence
of a back door in early Unix versions that may have qualified as the
most fiendishly clever security hack of all time. In this scheme, the C
compiler contained code that would recognize when the `login' command
was being recompiled and insert some code recognizing a password chosen
by Thompson, giving him entry to the system whether or not an account
had been created for him. 

"Normally such a back door could be removed by removing it from the
source code for the compiler and recompiling the compiler. But to
recompile the compiler, you have to use the compiler -- so Thompson also
arranged that the compiler would recognize when it was compiling a
version of itself, and insert into the recompiled compiler the code to
insert into the recompiled `login' the code to allow Thompson entry --
and, of course, the code to recognize itself and do the whole thing
again the next time around! And having done this once, he was then able
to recompile the compiler from the original sources; the hack
perpetuated itself invisibly, leaving the back door in place and active
but with no trace in the sources. 

"The talk that suggested this truly moby hack was published as
"Reflections on Trusting Trust", "Communications of the ACM 27", 8
(August 1984), pp. 761-763 (text available at
http://www.acm.org/classics). Ken Thompson has since confirmed that this
hack was implemented and that the Trojan Horse code did appear in the
login binary of a Unix Support group machine. Ken says the crocked
compiler was never distributed. Your editor has heard two separate
reports that suggest that the crocked login did make it out of Bell
Labs, notably to BBN, and that it enabled at least one late-night login
across the network by someone using the login name `kt'."


> 
> okay, i'll agree with you on one thing: users _should_ be allowed to
> see the source code to their software. however, this does not justify
> punishment of software-writers for not releasing their source code.
> on the other hand, it does justify trying to _persuade_ software-writers
> to release their source code, perhaps through the market by choosing other
> software that does comes with source code.
> 
> note that i am not completely satisfied with our current intellectual property
> system. i certainly wish we didn't have copyright, patent, and trademark
> laws; however, as for a software-writer's choice to offer his source-code,
> i don't think we need government intervention. remember, you don't have
> to use software without source code if you don't want to...

I agree, especially on the last point; I'm a rational self-governist,
and strongly despise anything that smells of government interventionism.
Nonetheless, in a perfect world the high-quality Free Software would be
widely accepted (because of quality, user freedom and price) to the
detriment of proprietary blowware; but the FUD and propaganda as spread
by the large Big Brother-ish companies (I'm not going to name any names)
have great mindshare effect, and thus exert [sic] much more power on the
marketplace right now. So it's necessary that some action be taken to
change that - not government intervention, but maybe some kind of
awareness campaign akin to what ESR et. al. are doing with the OSI.


Peace,

Kaufmann