From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 26845 invoked by alias); 17 Dec 2012 00:43:14 -0000 Received: (qmail 26835 invoked by uid 22791); 17 Dec 2012 00:43:14 -0000 X-SWARE-Spam-Status: No, hits=-1.5 required=5.0 tests=AWL,BAYES_40,KHOP_THREADED,RCVD_VIA_APNIC X-Spam-Check-By: sourceware.org Received: from comm.purplecow.org (HELO comm.purplecow.org) (210.87.62.131) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Mon, 17 Dec 2012 00:43:08 +0000 MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-disposition: inline Content-type: text/plain; charset=us-ascii Received: from comm.purplecow.org ([127.0.0.1]) by comm.purplecow.org (Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 32bit)) with ESMTP id <0MF500BASGNURD10@comm.purplecow.org> for gcc-help@gcc.gnu.org; Mon, 17 Dec 2012 11:43:06 +1100 (EST) Received: from comm.purplecow.org ([127.0.0.1] helo=comm.purplecow.org) with IPv4:25 by ASSP.nospam; Mon, 17 Dec 2012 11:43:06 +1100 Received: from [66.103.52.207] by comm.purplecow.org (mshttpd); Sun, 16 Dec 2012 19:43:06 -0500 From: Dennis Clarke To: "Holmes.Sherlock" Cc: gcc-help@gcc.gnu.org Message-id: Date: Mon, 17 Dec 2012 00:43:00 -0000 Subject: Re: Installing gcc 4.7.2 on Solaris 10 - SPARC platform In-reply-to: <1355702992125-898148.post@n5.nabble.com> References: <1354732078823-894949.post@n5.nabble.com> <1355617904584-897964.post@n5.nabble.com> <1355702992125-898148.post@n5.nabble.com> X-IsSubscribed: yes Mailing-List: contact gcc-help-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-help-owner@gcc.gnu.org X-SW-Source: 2012-12/txt/msg00061.txt.bz2 > If running through testsuite is the acid test of certification, then I'd > also not want to package and release unless thoroughly tested. Still I > have > the build directory lying on my system. I haven't run a gcc testsuite > earlier. Can you please let me know how to run a testsuite and post the > result back? Is it downloadable from somewhere? How to run it? Apart from > console log, does it produce any other log which I can post back? > Pretty well documented here : http://gcc.gnu.org/install/test.html Essentially, and this is a belief in the absence of proof, software should pass some sort of test harness before we trust it at any level. Even if a software component may pass its own test suite with glorious flying colors we should still distrust it and keep a watchful eye upon it. Having said that, we know as a fact that really exceptional software ( ISC Bind for example ) does exist and it does pass a rigorous software test suite and yet in spite of this we still see horrendous bugs discovered that reveal weaknesses : http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1667 Does this mean that we should not trust ISC Bind to run the entire name server infrastructure of the planet? In no way would I agree with such a stance. Furthermore should we truct a compiler that can not pass its own testsuite? Well no, we should not. Even a perfect compiler can be used to cronstruct a security violation. There is a famouse lecture on this by Ken Thompson in his 1983 Turing Award speech named "Reflections on Trusting Trust" which revealed how a virtually invisible back door security hole could be inserted into a C compiler. Please look that one up. What I am saying is that if you buy a car there should be some paper somewhere that says you can trust it in at least some way to not blow up nor take a sudden lurch to the left and kill people. We have safety standards ( these days ) to enforece this. In the same way I feel strongly that a critical piece of software used worldwide to produce other software pieces should come with a statement of compliance to some tests. In short, don't release a compiler that doesn't have a publicly posted test report somewhere. It bothers me to no end that I can not find any such piece of paper from Red Hat nor Oracle to tell me that their GCC compiler in their distribution does anything correctly. God forbid we even glance at Oracle Studio 12 ( which was Sun Studio which was Forte Studio ..) as closed source stuff rarely comes with anything but the words "trust us". Dennis ps: I recently posted changes to nearly every Makefile.am in the flex project to get it to pass all but two of its own tests and yet still I trust flex because I know where it fails and why. Sometimes you just have to look at the source.