3 Feb
2025
3 Feb
'25
11:08 a.m.
I am an old mainframe guy. I could give you my COBOL deck of cards or the compile listing.
You could pour through the code looking for nefarious/malicious code. I then hand you the
object deck. You have no idea if it matches the code you looked at. The only way you could
be sure is to compile the code I gave you and use your own object deck.
So why is open source these days such a beneficial thing? DeepSeek may be open source but
I have no way to create my own executable. Besides, I don’t know what language it is
written in but I bet I have no expertise in it. No way to for me to identify nasty code.
Yes, many people may have reviewed the code but that does not mean what I am running is
the result of that code.
3 Feb
3 Feb
11:25 a.m.
On Feb 3, 2025, at 2:08 PM, Donald Whittemore via
cctalk <cctalk(a)classiccmp.org> wrote:
I am an old mainframe guy. I could give you my COBOL deck of cards or the compile
listing. You could pour through the code looking for nefarious/malicious code. I then hand
you the object deck. You have no idea if it matches the code you looked at. The only way
you could be sure is to compile the code I gave you and use your own object deck.
So why is open source these days such a beneficial thing? DeepSeek may be open source but
I have no way to create my own executable. Besides, I don’t know what language it is
written in but I bet I have no expertise in it. No way to for me to identify nasty code.
Yes, many people may have reviewed the code but that does not mean what I am running is
the result of that code.
Open source, properly defined, means not just that you can see the code but that you have
the possibility of building it. If DeepSeek is advertised as open source but you
can't create your own executable, that's clearly false advertising.
The language doesn't matter so long as it's an available one. If you don't
know it you can learn. For example, you could write open source code in COBOL, that's
perfectly valid. Not a whole lot of people are left who can check your work, but anyone
who wants to can learn the necessary basics.
BTW, strictly speaking you should also suspect the compiler. See "Reflections on
trusting trust".
paul
11:36 a.m.
> On Feb 3, 2025, at 2:08 PM, Donald Whittemore via
cctalk <cctalk(a)classiccmp.org> wrote:
>
> I am an old mainframe guy. I could give you my COBOL deck of cards or the compile
listing. You could pour through the code looking for nefarious/malicious code. I then hand
you the object deck. You have no idea if it matches the code you looked at. The only way
you could be sure is to compile the code I gave you and use your own object deck.
On Mon, 3 Feb 2025, Paul Koning via cctalk wrote:
Open source, properly defined, means not just that you
can see the code but that you have the possibility of building it. If DeepSeek is
advertised as open source but you can't create your own executable, that's clearly
false advertising.
The language doesn't matter so long as it's an available one. If you don't
know it you can learn. For example, you could write open source code in COBOL, that's
perfectly valid. Not a whole lot of people are left who can check your work, but anyone
who wants to can learn the necessary basics.
BTW, strictly speaking you should also suspect the compiler. See "Reflections on
trusting trust".
paul
There is, or was, a COBOL compiler "ported" (prob'ly just keywords and
messages translated) to chinese.
Although it is doubtful that Deepseek was written in COBOL, it
nevertheless is possible.
That deck would be difficult to even source enough blank cards for. :-)
11:57 a.m.
On 02/03/2025 2:36 PM EST Fred Cisin via cctalk
<cctalk(a)classiccmp.org> wrote:
That deck would be difficult to even source enough
blank cards for. :-)
I suspect for the several million cards you'd need you could easily get some local
paper company to tool up and make them fairly reasonably :-)
Will
You just can't beat the person who never gives up.
Babe Ruth
1:56 p.m.
I suspect for the several million cards you'd
need you could easily get some local paper company to tool up and make them fairly
reasonably :-)
Likely not. Proper paper for punch cards is NOTORIOUSLY difficult to
make. Cardamation tried after the supply ran out, and they failed.
I have about 200,000 and they really do not take up much room.
--
Will
11:36 a.m.
On Mon, Feb 3, 2025 at 11:25 AM Paul Koning via cctalk <
cctalk(a)classiccmp.org> wrote:
"but I have no way to create my own executable" it's a model, not an
executable.
Per the github page "6. How to Run Locally" ... "DeepSeek-V3 can be
deployed locally using the following hardware and open-source community
software"
Broadly I gave up on the original post at " I am an old mainframe guy"
On Feb 3, 2025, at 2:08 PM, Donald Whittemore via
cctalk <
cctalk(a)classiccmp.org> wrote:
I am an old mainframe guy. I could give you my COBOL deck of cards or
the compile listing. You could pour through the code looking for
nefarious/malicious code. I then hand you the object deck. You have no idea
if it matches the code you looked at. The only way you could be sure is to
compile the code I gave you and use your own object deck.
So why is open source these days such a beneficial thing? DeepSeek may
be open source but I have no way to create my own executable. Besides, I
don’t know what language it is written in but I bet I have no expertise in
it. No way to for me to identify nasty code.
Yes, many people may have reviewed the code but that does not mean what
I am running is the result of that code.
Open source, properly defined, means not just that you can see the code
but that you have the possibility of building it. If DeepSeek is
advertised as open source but you can't create your own executable, that's
clearly false advertising.
12:42 p.m.
I was not being specific on language or the app. I was questioning the general impression
that open source is safe(r). If I am not proficient in the source language or have the
ability to create my own executable I don’t see how open source is ‘safer’ for the average
Joe or app.
12:46 p.m.
On Mon, Feb 3, 2025 at 12:42 PM Donald Whittemore via cctalk <
cctalk(a)classiccmp.org> wrote:
If I am not proficient in the source language or have
the ability to
create my own executable I don’t see how open source is ‘safer’ for the
average Joe or app.
I'm not seeing what *your* abilities (to understand, to create your own
version etc) has to do with code safety?
12:51 p.m.
If I don’t have the code expertise or compiling capability how do I know the executable is
safe?
12:54 p.m.
You do not have that absolute ability to know. You can rely on a virus scanner to help but
that’s not absolute either.
Sent from my iPhone
On Feb 3, 2025, at 12:51, Donald Whittemore via cctalk
<cctalk(a)classiccmp.org> wrote:
If I don’t have the code expertise or compiling capability how do I know the executable
is safe?
1:04 p.m.
On Mon, Feb 03, 2025 at 08:54:49PM +0000, Wayne S via cctalk wrote:
You do not have that absolute ability to know. You can
rely on a virus
scanner to help but that’s not absolute either.
Except those also have a lovely track record off becoming entry points
for malicious software by themselves due to the deep system access and
privileges they tend to require.
Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
12:56 p.m.
On Mon, Feb 3, 2025 at 12:51 PM Donald Whittemore via cctalk <
cctalk(a)classiccmp.org> wrote:
If I don’t have the code expertise or compiling
capability how do I know
the executable is safe?
How do you know a closed-source executable is safe? Hackers have
installed vulnerabilities into closed source software.
As previously said, even if you have the code expertise and ability to
re-compile you're trusting your compiler.
You seem to be looking for a guarantee that doesn't exist.
Now whether 1,000,000 eye balls looking for bugs in open source code
results in a "safer" end product given that there are an arbitrary number
of bad actors who can also look for vulnerabilities is an issue of
legitimate debate. Of course many of these are already looking through
closed source binaries for vulnerabilities.
1:14 p.m.
My own thoughts as a sometimes-opensource developer:
1. Opensource allows you to leverage the community. They will sometimes
research problems, fix bugs, or develop features.
2. Opensource allows people to answer their own questions. Documentation
always drifts from implementation. If you want to know how something works,
read the code. It may take some effort, but you'll know how it works.
3. Opensource inhibits "security through obscurity" by preventing
obscurity. You're less likely to do dumb things in plain sight, and more
likely to get caught if you do.
Being able to "build it yourself" is the benefit that seems to have most
been talked about in this thread, but then you go down the rabbit-hole of
"... but did you build the compiler yourself?" and "... but did you build
the compiler that compiled the compiler yourself?".
Scott
On Mon, Feb 3, 2025 at 1:03 PM Tony Jones via cctalk <cctalk(a)classiccmp.org>
wrote:
On Mon, Feb 3, 2025 at 12:51 PM Donald Whittemore via
cctalk <
cctalk(a)classiccmp.org> wrote:
If I don’t have the code expertise or compiling
capability how do I know
the executable is safe?
How do you know a closed-source executable is safe? Hackers have
installed vulnerabilities into closed source software.
As previously said, even if you have the code expertise and ability to
re-compile you're trusting your compiler.
You seem to be looking for a guarantee that doesn't exist.
Now whether 1,000,000 eye balls looking for bugs in open source code
results in a "safer" end product given that there are an arbitrary number
of bad actors who can also look for vulnerabilities is an issue of
legitimate debate. Of course many of these are already looking through
closed source binaries for vulnerabilities.
12:51 p.m.
Open source is only safer in that the source code is available to be analyzed and compiled
into something usable. Even if you compile the source, there still might be “unsafe”
things in it, hence it should be analyzed first.
If safety is of paramount importance, a supplied object or executable should never be
used. That’s just common sense.
Sent from my iPhone
On Feb 3, 2025, at 12:42, Donald Whittemore via cctalk
<cctalk(a)classiccmp.org> wrote:
I was not being specific on language or the app. I was questioning the general
impression that open source is safe(r). If I am not proficient in the source language or
have the ability to create my own executable I don’t see how open source is ‘safer’ for
the average Joe or app.
1:14 p.m.
On Feb 3, 2025, at 4:08 PM, Chuck Guzis via cctalk
<cctalk(a)classiccmp.org> wrote:
On 2/3/25 12:51, Wayne S via cctalk wrote:
There is something there, though. If you use a binary supplied by a packager you have to
worry not just about the bugs in the original open source project, but also about bugs
added by patches created by the packager. There is a notorious example of one of the
Linux distributions (Debian?) inserting a fatal security bug into openSSL. The original
was right, but someone made a patch that clearly demonstrated an utter lack of clue.
paul
If safety is of paramount importance, a supplied
object or executable should never be used. That’s just common sense.
Sent from my iPhone
Seems to be a cognitive disconnect, here. 
2:52 p.m.
On 2/3/25 13:14, Paul Koning wrote:
You miss my tongue-in-cheek observation. iPhone software isn't, to bhe
best of my knowledge, open-source. How does one know or determine that
there's not malware in vendor-supplied software?
--Chuck
On Feb 3, 2025, at 4:08 PM, Chuck Guzis via
cctalk <cctalk(a)classiccmp.org> wrote:
On 2/3/25 12:51, Wayne S via cctalk wrote:
There is something there, though. If you use a binary supplied by a packager you have to
worry not just about the bugs in the original open source project, but also about bugs
added by patches created by the packager. There is a notorious example of one of the
Linux distributions (Debian?) inserting a fatal security bug into openSSL. The original
was right, but someone made a patch that clearly demonstrated an utter lack of clue.
If safety is of paramount importance, a supplied
object or executable should never be used. That’s just common sense.
Sent from my iPhone
Seems to be a cognitive disconnect, here. 
3:54 p.m.
On 2025-02-03 3:52 p.m., Chuck Guzis via cctalk wrote:
You miss my tongue-in-cheek observation. iPhone
software isn't, to bhe
best of my knowledge, open-source. How does one know or determine that
there's not malware in vendor-supplied software?
I use a LAND LINE, I know the phone works.
I need it top secret I have shoe phone.
--Chuck
It is not malware, but good marketing to have to upgrade
on every release.
Ben.
PS. is me or just the internet browsing getting so full of ads
and questionable redirects that on can't use it any more.
4 Feb
4 Feb
6:32 a.m.
On 03/02/2025 23:54, ben via cctalk wrote:
On 2025-02-03 3:52 p.m., Chuck Guzis via cctalk
wrote:
Not available in many locations...
You miss my tongue-in-cheek observation. iPhone
software isn't, to bhe
best of my knowledge, open-source. How does one know or determine that
there's not malware in vendor-supplied software?
I use a LAND LINE, I know the phone works.
I need it top secret I have shoe phone.
--Chuck
It is not malware, but good marketing to have to upgrade
on every release.
Ben.
PS. is me or just the internet browsing getting so full of ads
and questionable redirects that on can't use it any more.
I find I need a blocker...
Dave
3 Feb
3 Feb
12:51 p.m.
On Feb 3, 2025, at 3:42 PM, Donald Whittemore via
cctalk <cctalk(a)classiccmp.org> wrote:
I was not being specific on language or the app. I was questioning the general impression
that open source is safe(r). If I am not proficient in the source language or have the
ability to create my own executable I don’t see how open source is ‘safer’ for the average
Joe or app.
That's true but that's because of your limitations, not because of the nature of
open source.
Open source is the "thousand eyeballs" notion that more review is better. Those
eyeballs need to be skilled, not just in the programming language used but more
importantly in the subject matter of the code. You can't be a good open source
compiler reviewer if you're not skilled in compilers. You can't verify the
correctness of, say, GPG, if you don't know cryptography.
The general population of software users is the beneficiary of all those eyeballs; it
isn't necessary for every last one of them to do the reviewing.
paul
1:01 p.m.
On Mon, Feb 3, 2025 at 2:43 PM Paul Koning via cctalk
<cctalk(a)classiccmp.org> wrote:
Open source, properly defined, means not just that you
can see the code but that you have the possibility of building it. If DeepSeek is
advertised as open source but you can't create your own executable, that's clearly
false advertising.
If you can't afford enough RAM/disk/CPUs to create and run
it, that
doesn't mean "not Open Source". Likewise with access to sufficient
volume of training data in the case of an LLM.
12:40 p.m.
On Mon, Feb 03, 2025 at 07:08:32PM -0000, Donald Whittemore via cctalk wrote:
I am an old mainframe guy. I could give you my COBOL
deck of cards or the
compile listing. You could pour through the code looking for
nefarious/malicious code. I then hand you the object deck. You have no idea
if it matches the code you looked at. The only way you could be sure is to
compile the code I gave you and use your own object deck.
So why is open source these days such a beneficial thing?
The idea of Open Source is that not only do you have the source code (which
you could get before even for closed source products, e.g. various DEC
source distributions on e.g. microfiche - which was of course still owned and
copyrighted by DEC), but you can build your own binaries from it, you can
change it (and build updated binaries) and - depending on license - are
usually encouraged to share you changes.
DeepSeek may be
open source but I have no way to create my own executable.
It's a model, not source code. There is no binary in the usual sense. Calling
it Open Source is definitely misleading as here it only means you can
legally (maybe - that whole LLM space is a bunch of already ongoing lawsuits
and an avalanche of more lawsuits waiting to happen due to their creators
approach to intellectual property and privacy) run the model yourself without
paying whoever built it.
Besides, I don’t
know what language it is written in but I bet I have no expertise in it. No
way to for me to identify nasty code.
It's worse than that. It's not written in any language as such. It is a
trained machine learning model (specifically, a transformer based LLM),
that is essentially an undebuggable black box. Don't like the output the
model produces? Adjust the training and retrain.
Additionally, all the publicly available hosted LLMs (e.g. ChatGPT) are
wrapped in filter layers that both filter the input (i.e. queries against
the model) and the output of the model to keep the worst outrages (e.g.
"I asked ChatGPT how to build a bomb and it gave me detailed instructions!")
somewhat contained.
On top of that: A lot of those LLMs are build on theft at an epically large
scale. They hovered up everything in sight (and then some) without even
pretending to care about intellectual property rights - e.g. the NY Times
has taken OpenAI to court because they managed to make the OpenAI LLMs
spit out long verbatim fragments of NY Times content. The hilarious part
is that DeepSeek essentially stole from OpenAI that which OpenAI previously
stole from everyone else and OpenAI is very angry about the lack of honor
among thieves or something ;-)
Yes, many people may have reviewed the code but that
does not mean what I am
running is the result of that code.
Aside from the classic "Reflections on trusting trust", you are far more
likely to get bitten by wonky compiler optimizations than an actually
malicious compiler.
Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
12:54 p.m.
On Feb 3, 2025, at 3:40 PM, Alexander Schreiber via
cctalk <cctalk(a)classiccmp.org> wrote:
...
On top of that: A lot of those LLMs are build on theft at an epically large
scale. They hovered up everything in sight (and then some) without even
pretending to care about intellectual property rights - e.g. the NY Times
has taken OpenAI to court because they managed to make the OpenAI LLMs
spit out long verbatim fragments of NY Times content. The hilarious part
is that DeepSeek essentially stole from OpenAI that which OpenAI previously
stole from everyone else and OpenAI is very angry about the lack of honor
among thieves or something ;-)
Excellent point. I tend to refer to LLMs as "derived work generators" to point
out the copyright problems that are fundamental to what they do.
I also tend to wonder about web hoovering as a training scheme, given that a lot of web
content is fiction. And I don't mean "misinformation", I just mean novels
and the like. What happens to an LLM that inhales "The Martian" or
"Ringworld" ?
paul
1:12 p.m.
On Mon, Feb 03, 2025 at 03:54:31PM -0500, Paul Koning via cctalk wrote:
I just call them "bullshit generators", based on Harry Frankfurt's "On
Bullshit".
On Feb 3, 2025, at 3:40 PM, Alexander Schreiber
via cctalk
<cctalk(a)classiccmp.org> wrote:
... On top of that: A lot of those LLMs are build on theft at an epically
large scale. They hovered up everything in sight (and then some) without
even pretending to care about intellectual property rights - e.g. the NY
Times has taken OpenAI to court because they managed to make the OpenAI
LLMs spit out long verbatim fragments of NY Times content. The hilarious
part is that DeepSeek essentially stole from OpenAI that which OpenAI
previously stole from everyone else and OpenAI is very angry about the lack
of honor among thieves or something ;-)
Excellent point. I tend to refer to LLMs as "derived work generators" to
point out the copyright problems that are fundamental to what they do. I also tend to wonder about web hoovering as a
training scheme, given that a
lot of web content is fiction. And I don't mean "misinformation", I just
mean novels and the like. What happens to an LLM that inhales "The Martian"
or "Ringworld" ?
That's probably a lot less harmless than what already happened: More than
one model had to be pulled back and deleted (as well as the corpus it was
trained from) because its makers had unknowingly hovered up CSAM content,
trained the model with it and it was cheerfully spitting that filth out again.
If you blindly hover up the entire Internet, you're going find stuff that
you probably don't want to have on your systems.
Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
1:27 p.m.
Sent from my iPhone
On Feb 3, 2025, at 13:15, Alexander Schreiber via
cctalk <cctalk(a)classiccmp.org> wrote:
On Mon, Feb 03, 2025 at 03:54:31PM -0500, Paul Koning via cctalk wrote:
I just call them "bullshit generators", based on Harry Frankfurt's
"On
Bullshit".
On Feb 3, 2025, at 3:40 PM, Alexander Schreiber
via cctalk
<cctalk(a)classiccmp.org> wrote:
... On top of that: A lot of those LLMs are build on theft at an epically
large scale. They hovered up everything in sight (and then some) without
even pretending to care about intellectual property rights - e.g. the NY
Times has taken OpenAI to court because they managed to make the OpenAI
LLMs spit out long verbatim fragments of NY Times content. The hilarious
part is that DeepSeek essentially stole from OpenAI that which OpenAI
previously stole from everyone else and OpenAI is very angry about the lack
of honor among thieves or something ;-)
Excellent point. I tend to refer to LLMs as "derived work generators" to
point out the copyright problems that are fundamental to what they do.
I also tend to wonder about web hoovering as a
training scheme, given that a
lot of web content is fiction. And I don't mean "misinformation", I just
mean novels and the like. What happens to an LLM that inhales "The Martian"
or "Ringworld" ?
That's probably a lot less harmless than what already happened: More than
one model had to be pulled back and deleted (as well as the corpus it was
trained from) because its makers had unknowingly hovered up CSAM content,
trained the model with it and it was cheerfully spitting that filth out again.
If you blindly hover up the entire Internet, you're going find stuff that
you probably don't want to have on your systems.
Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
1:30 p.m.
Alex, your posts come over with the “flag” set (i get a red “flag” on my iphone). Did you
mean to flag all your responses for some reason ?
Sent from my iPhone
On Feb 3, 2025, at 13:15, Alexander Schreiber via
cctalk <cctalk(a)classiccmp.org> wrote:
On Mon, Feb 03, 2025 at 03:54:31PM -0500, Paul Koning via cctalk wrote:
I just call them "bullshit generators", based on Harry Frankfurt's
"On
Bullshit".
On Feb 3, 2025, at 3:40 PM, Alexander Schreiber
via cctalk
<cctalk(a)classiccmp.org> wrote:
... On top of that: A lot of those LLMs are build on theft at an epically
large scale. They hovered up everything in sight (and then some) without
even pretending to care about intellectual property rights - e.g. the NY
Times has taken OpenAI to court because they managed to make the OpenAI
LLMs spit out long verbatim fragments of NY Times content. The hilarious
part is that DeepSeek essentially stole from OpenAI that which OpenAI
previously stole from everyone else and OpenAI is very angry about the lack
of honor among thieves or something ;-)
Excellent point. I tend to refer to LLMs as "derived work generators" to
point out the copyright problems that are fundamental to what they do.
I also tend to wonder about web hoovering as a
training scheme, given that a
lot of web content is fiction. And I don't mean "misinformation", I just
mean novels and the like. What happens to an LLM that inhales "The Martian"
or "Ringworld" ?
That's probably a lot less harmless than what already happened: More than
one model had to be pulled back and deleted (as well as the corpus it was
trained from) because its makers had unknowingly hovered up CSAM content,
trained the model with it and it was cheerfully spitting that filth out again.
If you blindly hover up the entire Internet, you're going find stuff that
you probably don't want to have on your systems.
Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
4 Feb
4 Feb
4:07 a.m.
On Mon, Feb 03, 2025 at 09:30:03PM +0000, Wayne S wrote:
Alex, your posts come over with the “flag” set (i get
a red “flag” on my
iphone). Did you mean to flag all your responses for some reason ?
Interesting. Do you just get a red flag or is there also some message
text displayed? I don't have an iPhone to test and nothing shows up
in GMail (nor mutt, for that matter).
I'm setting a bunch of custom headers in my mail and the most likely
culprit here is this one:
X-message-flag: Please send plain text messages only. Thank you.
I discovered ~20y ago that with this, one could insert a custom message
into the email display of the MS Outlook client and since Outlook users
where the canonical offenders for only sending HTML back then, that's
what I did.
Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
3 Feb
3 Feb
1:09 p.m.
On Mon, Feb 3, 2025 at 12:45 PM Alexander Schreiber via cctalk <
cctalk(a)classiccmp.org> wrote:
On Mon, Feb 03, 2025 at 07:08:32PM -0000, Donald
Whittemore via cctalk
wrote:
On top of that: A lot of those LLMs are build on theft at an epically large
scale. They hovered up everything in sight (and then some) without even
pretending to care about intellectual property rights - e.g. the NY Times
has taken OpenAI to court because they managed to make the OpenAI LLMs
spit out long verbatim fragments of NY Times content. The hilarious part
is that DeepSeek essentially stole from OpenAI that which OpenAI previously
stole from everyone else and OpenAI is very angry about the lack of honor
among thieves or something ;-)
My understanding was that OpenAI accused DeepSeek of "distilling" their
model. Via presumably making API queries to OpenAIs service. However
normally 'distillation" is the process of generating a smaller
("student")
model from a larger ("teacher") model except in this case DeepSeek
apparantly created something more of a peer to the teacher. Maybe there
was some "veneer" final training but the basic assertion of "they stole
our
work" is probably more of OpenAI trying to control the narrative. Now
whether DeepSeek stole N different entities IP, that's a different
question. As you said there is no way to reproduce the model, so
what's on github isn't "open source" in most peoples understanding.
Still it's better than Microsoft/OpenAI where the model is "closed" behind
an API.
12:57 p.m.
On Mon, Feb 3, 2025 at 2:08 PM Donald Whittemore via cctalk
<cctalk(a)classiccmp.org> wrote:
I am an old mainframe guy. I could give you my COBOL
deck of cards or the compile listing. You could pour through the code looking for
nefarious/malicious code. I then hand you the object deck. You have no idea if it matches
the code you looked at. The only way you could be sure is to compile the code I gave you
and use your own object deck.
That's basically true but "why Open Source" goes way beyond that.
From the start, Open Source wasn't focused on "this is good for
security" but "I should have the right to repair". In the face of
100% proprietary software, users have to beg the vendor to fix bugs,
add features, then there's what happens to products that are abandoned
and the OS moves on and updates are mandatory (system calls, adding
SMP spinlocking (done that myself), and more).
At the root of Open Source is you, the user, have the right to the source code.
In the early days, that's as far as it went but especially after the
Morris Worm, security became very important, Open Source afforded
users the ability to inspect the code for vulnerabilities in ways that
you could not if all you had was the binaries.
.
So why is open source these days such a beneficial
thing?
Because it allows those folks with skills (or money to hire out) the
_ability_ to modify software, to build on the work of others. Now,
it's not just one person or company writing code, anyone it touches
can have a shot.
DeepSeek may be open source but I have no way to
create my own executable. Besides, I don’t know what language it is written in but I bet I
have no expertise in it. No way to for me to identify nasty code.
Not all things are for all people. I don't know COBOL (I decided that
back in 1978) so I would be the wrong person to evaluate or extend
that, but there's plenty of stuff I can and do work on. I'm a
contributor to several Open Source projects. I'm happy to help on
them because I have the skills and I have the interest. Not everyone
does. Some people just download and consume, and that's fine too.
Yes, many people may have reviewed the code but that
does not mean what I am running is the result of that code.
That's on you.
-ethan
1:01 p.m.
To all, i do think the meaning of “Safer” needs to be explained in the context of this
debate.
Sent from my iPhone
On Feb 3, 2025, at 12:57, Ethan Dicks via cctalk
<cctalk(a)classiccmp.org> wrote:
On Mon, Feb 3, 2025 at 2:08 PM Donald Whittemore via cctalk
<cctalk(a)classiccmp.org> wrote:
I am an old mainframe guy. I could give you my
COBOL deck of cards or the compile listing. You could pour through the code looking for
nefarious/malicious code. I then hand you the object deck. You have no idea if it matches
the code you looked at. The only way you could be sure is to compile the code I gave you
and use your own object deck.
That's basically true but "why Open Source" goes way beyond that.
From the start, Open Source wasn't focused on "this is good for
security" but "I should have the right to repair". In the face of
100% proprietary software, users have to beg the vendor to fix bugs,
add features, then there's what happens to products that are abandoned
and the OS moves on and updates are mandatory (system calls, adding
SMP spinlocking (done that myself), and more).
At the root of Open Source is you, the user, have the right to the source code.
In the early days, that's as far as it went but especially after the
Morris Worm, security became very important, Open Source afforded
users the ability to inspect the code for vulnerabilities in ways that
you could not if all you had was the binaries.
.
So why is open source these days such a
beneficial thing?
Because it allows those folks with skills (or money to hire out) the
_ability_ to modify software, to build on the work of others. Now,
it's not just one person or company writing code, anyone it touches
can have a shot.
DeepSeek may be open source but I have no way to
create my own executable. Besides, I don’t know what language it is written in but I bet I
have no expertise in it. No way to for me to identify nasty code.
Not all things are for all people. I don't know COBOL (I decided that
back in 1978) so I would be the wrong person to evaluate or extend
that, but there's plenty of stuff I can and do work on. I'm a
contributor to several Open Source projects. I'm happy to help on
them because I have the skills and I have the interest. Not everyone
does. Some people just download and consume, and that's fine too.
Yes, many people may have reviewed the code but
that does not mean what I am running is the result of that code.
That's on you.
-ethan
2:08 p.m.
At the root of Open Source is you, the user, have the right to the
source code.
In the early days, that's as far as it went but especially after the
Morris Worm, security became very important, Open Source afforded
users the ability to inspect the code for vulnerabilities in ways that
you could not if all you had was the binaries.
But open source should have fixed versions, if possible.
Look at C compilers. I need a K&R C compiler for say 8088 build.
I might not want the latest C standard.
What version has the fewest bugs.
2:28 p.m.
On Mon, Feb 3, 2025 at 2:08 PM ben via cctalk <cctalk(a)classiccmp.org> wrote:
For gcc this is what --std is for. Though I'm not sure it can be forced
to only accept K&R.
What version has the fewest bugs.
Proprietary info for most closed source code, no?
But open source should have fixed versions, if possible.
I'm not really sure what this means. Most open source projects have
defined release versions.
I might not want the latest C standard.
2:32 p.m.
It was thus said that the Great ben via cctalk once stated:
You will have to evaluate the C compiler in question. The C Standard
covers not only the C language, but of a library as well, so your concerns
about bugs applies to both the compiler and the library that comes with it.
And it's not like there's just one C compiler everybody uses.
While a C99 compiler will work with K&R style code, and may very well
generate better code, there may still be issues because newer C compilers
take advantage of undefined behavior to optimize the code, to the degree
that once valid C code now exhibits bugs. For instance, this fragment of
code:
/* a and b are signed integers */
if (a + b < a) /* check for overflow */
handle_it();
may very well be removed because signed overflow in C is undefined, and by
definition (per the compiler writers) a programmer will never intentionally
invoke undefined bahavior, the code can be removed because it will never be
true (and this is current behavior! Really!).
So it could be that C99 will work for you, it might not. A C89-only
compiler will work---it'll still accept K&R style code, and it will be old
enough to avoid the "exploit undefined behavior for better benchmarks"
compilers we have today. Or find an old K&R C compiler. They still exist,
but generate very bad code.
-spc
At the root of Open Source is you, the user, have the right to the
source code.
In the early days, that's as far as it went but especially after the
Morris Worm, security became very important, Open Source afforded
users the ability to inspect the code for vulnerabilities in ways that
you could not if all you had was the binaries.
But open source should have fixed versions, if possible.
Look at C compilers. I need a K&R C compiler for say 8088 build.
I might not want the latest C standard.
What version has the fewest bugs.
3:47 p.m.
On 2025-02-03 3:32 p.m., Sean Conner via cctalk wrote:
It was thus said that the Great ben via cctalk once
stated:
You will have to evaluate the C compiler in question. The C Standard
covers not only the C language, but of a library as well, so your concerns
about bugs applies to both the compiler and the library that comes with it.
And it's not like there's just one C compiler everybody uses.
While a C99 compiler will work with K&R style code, and may very well
generate better code, there may still be issues because newer C compilers
take advantage of undefined behavior to optimize the code, to the degree
that once valid C code now exhibits bugs. For instance, this fragment of
code:
/* a and b are signed integers */
if (a + b < a) /* check for overflow */
handle_it();
may very well be removed because signed overflow in C is undefined, and by
definition (per the compiler writers) a programmer will never intentionally
invoke undefined bahavior, the code can be removed because it will never be
true (and this is current behavior! Really!).
So it could be that C99 will work for you, it might not. A C89-only
compiler will work---it'll still accept K&R style code, and it will be old
enough to avoid the "exploit undefined behavior for better benchmarks"
compilers we have today. Or find an old K&R C compiler. They still exist,
but generate very bad code.
-spc
So where does on find a older version, on a current Linux build.
we don't support it!!! We only port the latest intel CPU.
You have 32 bit compilers, or bigger. I might want a 16 bit compiler
under Linux.
I was hoping to use Embeddable Linux Kernel Subset (ELKS) BCC compiler
and the 6809 code generator, but NO they had to rewrite it just for the
386.
Open source is popular because it was free.
No compiler generates bad code,just some hardware was never meant to
have stack based addressing, like the 6502 or the 8088/8086.
Look at the mess that small C has for 8088/8086 code gen.
Self hosting never seems to be important for C compiler on a small machine.
At the root of Open Source is you, the user, have the right to the
source code.
In the early days, that's as far as it went but especially after the
Morris Worm, security became very important, Open Source afforded
users the ability to inspect the code for vulnerabilities in ways that
you could not if all you had was the binaries.
But open source should have fixed versions, if possible.
Look at C compilers. I need a K&R C compiler for say 8088 build.
I might not want the latest C standard.
What version has the fewest bugs.
4:06 p.m.
On 2/3/25 15:47, ben via cctalk wrote:
No compiler generates bad code,just some hardware was
never meant to
have stack based addressing, like the 6502 or the 8088/8086.
Really? The x86 family does indeed have stack-based addressing. In
particular, The BP register holds the base of the stack frame and the
assumed segment is SS. Even the lowly 8085 has some (undocumented) nod
toward stack addressing.
--Chuck
5:43 p.m.
On 2025-02-03 5:06 p.m., Chuck Guzis via cctalk wrote:
On 2/3/25 15:47, ben via cctalk wrote:
I don't like to have to play around with, DS and SS
and that index register mess. The 6809 or the PDP-11 makes
for easy indexing.
No compiler generates bad code,just some hardware
was never meant to
have stack based addressing, like the 6502 or the 8088/8086.
Really? The x86 family does indeed have stack-based addressing. In
particular, The BP register holds the base of the stack frame and the
assumed segment is SS. Even the lowly 8085 has some (undocumented) nod
toward stack addressing. --Chuck
Was the X86 family meant for pascal type languages?
Other than the small model, every thing is a hack.
5:56 p.m.
On 2025-02-03 5:06 p.m., Chuck Guzis via cctalk
wrote:
> Really? The x86 family does indeed have stack-based addressing. In
> particular, The BP register holds the base of the stack frame and the
> assumed segment is SS. Even the lowly 8085 has some (undocumented) nod
> toward stack addressing.
On Mon, 3 Feb 2025, ben via cctalk wrote:
I don't like to have to play around with, DS and
SS
and that index register mess. The 6809 or the PDP-11 makes
for easy indexing.
Was the X86 family meant for pascal type languages?
Other than the small model, every thing is a hack.
It was generally agreed on many of the new features needed.
Motorola abandoned their previous code base, and designed the 68000.
Intel realized that they could "get away with" just adding patches and
kluges.
Yes, a "flat" memory model is simpler.
For getting started, you can set CS, DS, ES. and SS to the same; org your
program at 100h.
7:28 p.m.
On 2/3/25 17:43, ben via cctalk wrote:
On 2025-02-03 5:06 p.m., Chuck Guzis via cctalk
wrote:
I get the feeling that you haven't done much x86 programming. Look at
some real code where arguments are pushed on the stack before a call,
local storage is allocated (stack frame) by setting BP, and addressing
of any member of the stack can be accomplished with {BP+displacement]
addressing.
If DS and CS are different, you can address 128KB without issues (why
would one want to change the executable code? If you want a private
stack area, set SS to something different.
To push the point a bit further, one need not have explicit stack
hardware if a generous enough register file is provided and
register-displacement addressing is implemented. Witness, for example,
IBM 370.
--Chuck
On 2/3/25 15:47, ben via cctalk wrote:
Was the X86 family meant for pascal type languages?
Other than the small model, every thing is a hack. No compiler generates bad code,just some hardware
was never meant to
have stack based addressing, like the 6502 or the 8088/8086.
Really? The x86 family does indeed have stack-based addressing. In
particular, The BP register holds the base of the stack frame and the
assumed segment is SS. Even the lowly 8085 has some (undocumented) nod
toward stack addressing.
4:37 p.m.
It was thus said that the Great ben via cctalk once stated:
On 2025-02-03 3:32 p.m., Sean Conner via cctalk
wrote:
Do you mean you want a compiler to generate 16-bit code? Or be compiled
as a 16-bit program to run under Linux? If the later, it's not supported,
or at least, not supported by default [1].
So it could be that C99 will work for you, it might not. A C89-only
compiler will work---it'll still accept K&R style code, and it will be old
enough to avoid the "exploit undefined behavior for better benchmarks"
compilers we have today. Or find an old K&R C compiler. They still exist,
but generate very bad code.
-spc
So where does on find a older version, on a current Linux build.
we don't support it!!! We only port the latest intel CPU.
You have 32 bit compilers, or bigger. I might want a 16 bit compiler
under Linux. I was hoping to use Embeddable Linux Kernel Subset
(ELKS) BCC compiler
and the 6809 code generator, but NO they had to rewrite it just for the
386.
It took me only a few minutes to find it. There's the GIT repository at
https://github.com/lkundrak/dev86
Yes, it requires git to initially download it, but it's available. And it
*still* has 6809 code generation. The code seems to be originally written
for Unix anyway, or at least it appears so from the initial importation into
git [2]:
/* bcc.c - driver for Bruce's C compiler (bcc) and for CvW's C compiler */
/* Copyright (C) 1992 Bruce Evans */
#define _POSIX_SOURCE 1
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <unistd.h>
#include <signal.h>
#include <stdlib.h>
#include <string.h>
The latest version was ported to MS-DOS at some point. I was able to
compile the latest version (on a 32-bit Linux system---I no longer have a
MS-DOS C compiler so I couldn't test on that), but the code is C89, so in
theory, you could use any MS-DOS C compiler post 1989 to compile the code if
you so wish.
When I did the compile, there compiler did throw up some warning even
though none were specified because the code is that old, but I did get an
executable:
[spc]matrix:~/repo/dev86/bcc>./bcc
Usage: ./bcc [-ansi] [-options] [-o output] file [files].
Open source is popular because it was free.
No compiler generates bad code,just some hardware was never meant to
have stack based addressing, like the 6502 or the 8088/8086.
Look at the mess that small C has for 8088/8086 code gen.
Self hosting never seems to be important for C compiler on a small machine.
The 8086/8088 was never meant to have stack based addressing? Um, the
8086/8088 has an entire register dedicated to that (BP by the way). The
limitation with BP is that it's bound to the SS segment by default, and in
some memory models that becomes an issue, but to say it doesn't have stack
based addressing? Methinks you are misrembering here.
And self-hosting a C compiler on a small system isn't easy with 64K of RAM
total. The PDP-11 had at least 64K code space and 64K data space to work
with.
-spc
[1] I have run a 16-bit MS-DOS exectuable under Linux, but it was on a
32b x86-based Linux system with a custom program I wrote to run it.
I even had to emulate several MS-DOS system calls to get it to work
(since I needed input from a Unix program to be piped in, I couldn't
use DOSBox for this).
[2] Dated July 27, 2002, which is before git existed, but this
repository was converted to git at some point.
6:05 p.m.
On 2025-02-03 5:37 p.m., Sean Conner via cctalk wrote:
The PDP-11 and 6809 has the S+,-S the X86 is missing. POP BX; ADD AX BX
compared to ADDD S++ for the 6809.
Do you mean you want a compiler to generate 16-bit
code? Or be compiled
as a 16-bit program to run under Linux? If the later, it's not supported,
or at least, not supported by default [1].
I think back then the code was 16 bit rather than 32 bit for the C
compiler.
I was hoping to use Embeddable Linux Kernel
Subset (ELKS) BCC compiler
and the 6809 code generator, but NO they had to rewrite it just for the
386.
It took me only a few minutes to find it. There's the GIT repository at
https://github.com/lkundrak/dev86
When I did the compile, there compiler did throw up some warning even
though none were specified because the code is that old, but I did get an
executable:
[spc]matrix:~/repo/dev86/bcc>./bcc
Usage: ./bcc [-ansi] [-options] [-o output] file [files].
Open source is
popular because it was free.
No compiler generates bad code,just some hardware was never meant to
have stack based addressing, like the 6502 or the 8088/8086.
Look at the mess that small C has for 8088/8086 code gen.
Self hosting never seems to be important for C compiler on a small machine.
The 8086/8088 was never meant to have stack based addressing? Um, the
8086/8088 has an entire register dedicated to that (BP by the way). The
limitation with BP is that it's bound to the SS segment by default, and in
some memory models that becomes an issue, but to say it doesn't have stack
based addressing? Methinks you are misrembering here.
And self-hosting a C compiler on a small system
isn't easy with 64K of RAM
total. The PDP-11 had at least 64K code space and 64K data space to work
with.
That is true. The C compiler for the 6809 fit in a 64K memory space
under OS9.
-spc
[1] I have run a 16-bit MS-DOS exectuable under Linux, but it was on a
32b x86-based Linux system with a custom program I wrote to run it.
I even had to emulate several MS-DOS system calls to get it to work
(since I needed input from a Unix program to be piped in, I couldn't
use DOSBox for this).
[2] Dated July 27, 2002, which is before git existed, but this
repository was converted to git at some point.
6:50 p.m.
On Mon, Feb 3, 2025, 5:37 PM Sean Conner via cctalk <cctalk(a)classiccmp.org>
wrote:
It was thus said that the Great ben via cctalk once
stated:
Do you mean you want a compiler to generate 16-bit code? Or be compiled
as a 16-bit program to run under Linux? If the later, it's not supported,
or at least, not supported by default [1].
I have Vexix86 emulator that does much the same thing.
On 2025-02-03 3:32 p.m., Sean Conner via cctalk
wrote:
>
> So it could be that C99 will work for you, it might not. A C89-only
>compiler will work---it'll still accept K&R style code, and it will be
old
>enough to avoid the "exploit undefined
behavior for better benchmarks"
>compilers we have today. Or find an old K&R C compiler. They still
exist,
but
generate very bad code.
-spc
So where does on find a older version, on a current Linux build.
we don't support it!!! We only port the latest intel CPU.
You have 32 bit compilers, or bigger. I might want a 16 bit compiler
under Linux.
I was hoping to use Embeddable Linux Kernel Subset
(ELKS) BCC compiler
Bcc was written by Bruce Evans to have a compiler for 386BSD for the boot
loader (among other reasons). It dates back to the late 80s or so. It's one
of the reasons we in FreeBSD held onto K&R constructs in certain areas of
the tree for so long. Well after gcc / binutils could generate the small
bits of 16bit code the loader eventually required..
Warner
/* bcc.c - driver for Bruce's C compiler (bcc) and for CvW's C
and the 6809 code generator, but NO they had to
rewrite it just for the
386.
It took me only a few minutes to find it. There's the GIT repository at
https://github.com/lkundrak/dev86
Yes, it requires git to initially download it, but it's available. And it
*still* has 6809 code generation. The code seems to be originally written
for Unix anyway, or at least it appears so from the initial importation
into
git [2]:
compiler */
/* Copyright (C) 1992 Bruce Evans */
#define _POSIX_SOURCE 1
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <unistd.h>
#include <signal.h>
#include <stdlib.h>
#include <string.h>
The latest version was ported to MS-DOS at some point. I was able to
compile the latest version (on a 32-bit Linux system---I no longer have a
MS-DOS C compiler so I couldn't test on that), but the code is C89, so in
theory, you could use any MS-DOS C compiler post 1989 to compile the code
if
you so wish.
When I did the compile, there compiler did throw up some warning even
though none were specified because the code is that old, but I did get an
executable:
[spc]matrix:~/repo/dev86/bcc>./bcc
Usage: ./bcc [-ansi] [-options] [-o output] file [files].
Open source is popular because it was free.
No compiler generates bad code,just some hardware was never meant to
have stack based addressing, like the 6502 or the 8088/8086.
Look at the mess that small C has for 8088/8086 code gen.
Self hosting never seems to be important for C compiler on a small
machine.
The 8086/8088 was never meant to have stack based addressing? Um, the
8086/8088 has an entire register dedicated to that (BP by the way). The
limitation with BP is that it's bound to the SS segment by default, and in
some memory models that becomes an issue, but to say it doesn't have stack
based addressing? Methinks you are misrembering here.
And self-hosting a C compiler on a small system isn't easy with 64K of
RAM
total. The PDP-11 had at least 64K code space and 64K data space to work
with.
-spc
[1] I have run a 16-bit MS-DOS exectuable under Linux, but it was on a
32b x86-based Linux system with a custom program I wrote to run
it.
I even had to emulate several MS-DOS system calls to get it to work
(since I needed input from a Unix program to be piped in, I
couldn't
use DOSBox for this).
[2] Dated July 27, 2002, which is before git existed, but this
repository was converted to git at some point.
11:33 p.m.
Beyond just the compiler, there are also optimization and other settings
(like the multitude levels of C-compliance or how strict to be about
warnings, or conditional-builds to tailor it specific situations).
Regardless, proper binary deliveries come with CRC checksums. This isn't
just to verify that you downloaded the file correctly, but to also help
verify that you've used the exact same "Bill of software material" (SBOM),
versions of dependencies, and other settings to produce that same binary.
The "more safe" isn't necessarily that "millions of anonymous
eyes" have
scanned the code for mistakes or anything bad. (yes, that can help, but no
guarantee it is actively taking place). Rather, IF something does happen,
you now have a kind of paper-trail to investigate where things went wrong.
A form of accountability (provided you can obtain that source, that
compiler version and its runtime support for whatever OS is involved - and
produce a build consistent with that CRC).
Running a prebuild from RandomPlace.com is always risky (even if things go
fine that day, "sleeper code" could park itself somewhere). But for me,
it's like buying a used car. Yep, it's a lot of risk on if the prior owner
is telling the truth. I just have to use good judgement that the car isn't
laced with something, doesn't have a tracker hidden on it, or isn't just
about to blow a gasket. Part of that good judgement is looking at other
community involvement by said theoretical "RandomPlace.com" and a virus
scan - akin to kicking the tires. First adopters can use virtual machines
and look for anomalies there, then after that, it's off to posting product
reviews.
It's odd to me that people cry about environmental harm of crypto, but not
a word about all the extra power wasted recompiling from source over and
over. Maybe if they just combine the two - that solving a crypto block
somehow involved recompiling something :) Can I patent that idea? (in a
nutshell, crypto is computing a massive complex-CRC of a ton of transaction
info).
We're still in the infancy of all this computer-stuff. The hoopla about
Rust bugged me and this term "memory safe languages." Syntax sugar
altogether bugs me, as I think shoveling ASCII text around in a text-editor
is not the ultimate in how software is create. UML failed us for various
reasons. I think the step past high level languages is moving into VR, and
using virtual constructs to "build" instead of "write" software. In
doing
so, now you can actively monitor the dependencies between modules (lines
between declarations, and a real time memory-model of their arrangement),
and decorate AST nodes (floating in 3-space) with optional tags (like
exception policy, whose doing range checks on inputs, or how any logging is
handled) instead of cluttering up all the core business logic. This system
would also allow actively monitoring resource requirements - to answer a
question like: this code can run on a RPi Nano with 128MB. Then you add
one aspect (or equivalent to a line of code), now suddenly whatever your
code is requires an RTX9090 in the system somewhere - so maybe you want to
re-think your approach. But maybe I'm wrong and "writing software" will
always be necessary. Time will tell. [ imo, UML "failed" because 2D
huge plotter size maps of class relationships wasn't really that helpful -
it was just a different format of what interface code already told you; and
a bunch of class relationships isn't really the meaningful part of a design
]
-Steve
On Mon, Feb 3, 2025 at 8:58 PM Warner Losh via cctalk <cctalk(a)classiccmp.org>
wrote:
On Mon, Feb 3, 2025, 5:37 PM Sean Conner via cctalk
<cctalk(a)classiccmp.org
wrote:
> It was thus said that the Great ben via cctalk once stated:
> > On 2025-02-03 3:32 p.m., Sean Conner via cctalk wrote:
> >
> > > So it could be that C99 will work for you, it might not. A
C89-only
> > >compiler will work---it'll still accept K&R style code, and it will
be
> old
> > >enough to avoid the "exploit undefined behavior for better
benchmarks"
> > >compilers we have today. Or find an old K&R C compiler. They still
> exist,
> > >but generate very bad code.
> >
> > > -spc
>
> > So where does on find a older version, on a current Linux build.
> > we don't support it!!! We only port the latest intel CPU.
>
> > You have 32 bit compilers, or bigger. I might want a 16 bit compiler
> > under Linux.
> Do you mean you want a compiler to generate 16-bit code? Or be
compiled
I have Vexix86 emulator that does much the same thing.
> I was hoping to use Embeddable Linux Kernel Subset (ELKS) BCC compiler
> > and the 6809 code generator, but NO they had to rewrite it just for the
> > 386.
> It took me only a few minutes to find it. There's the GIT repository
at
> https://github.com/lkundrak/dev86
> Yes, it requires git to initially download it, but it's available. And
it
Bcc was written by Bruce Evans to have a compiler for 386BSD for the boot
loader (among other reasons). It dates back to the late 80s or so. It's one
of the reasons we in FreeBSD held onto K&R constructs in certain areas of
the tree for so long. Well after gcc / binutils could generate the small
bits of 16bit code the loader eventually required..
Warner
/* bcc.c - driver for Bruce's C compiler (bcc) and for CvW's C
> compiler */
> /* Copyright (C) 1992 Bruce Evans */
> #define _POSIX_SOURCE 1
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <sys/wait.h>
> #include <unistd.h>
> #include <signal.h>
> #include <stdlib.h>
> #include <string.h>
> The latest version was ported to MS-DOS at some point. I was able to
> compile the latest version (on a 32-bit Linux system---I no longer have a
> MS-DOS C compiler so I couldn't test on that), but the code is C89, so in
> theory, you could use any MS-DOS C compiler post 1989 to compile the code
> if
> you so wish.
> When I did the compile, there compiler did throw up some warning even
> though none were specified because the code is that old, but I did get an
> executable:
> [spc]matrix:~/repo/dev86/bcc>./bcc
> Usage: ./bcc [-ansi] [-options] [-o output] file [files].
> > Open source is popular because it was free.
>
> > No compiler generates bad code,just some hardware was never meant to
> > have stack based addressing, like the 6502 or the 8088/8086.
> > Look at the mess that small C has for 8088/8086 code gen.
> > Self hosting never seems to be important for C compiler on a small
> machine.
> The 8086/8088 was never meant to have stack based addressing? Um, the
> 8086/8088 has an entire register dedicated to that (BP by the way). The
> limitation with BP is that it's bound to the SS segment by default, and
in
> And self-hosting a C compiler on a small system isn't easy with 64K
of
> RAM
> total. The PDP-11 had at least 64K code space and 64K data space to work
> with.
> -spc
> [1] I have run a 16-bit MS-DOS exectuable under Linux, but it was on
a
> [2] Dated July 27, 2002, which is before git existed, but this
> repository was converted to git at some point.
as a 16-bit program to run under Linux? If the
later, it's not
supported,
> or at least, not supported by default [1].
*still* has 6809 code generation. The code seems
to be originally
written
> for Unix anyway, or at least it appears so from the initial importation
> into
> git [2]:
some memory models that becomes an issue, but to
say it doesn't have
stack
> based addressing? Methinks you are misrembering here.
32b x86-based Linux system with a custom
program I wrote to run
it.
I even had to emulate several MS-DOS system calls to get it to
work
> (since I needed input from a Unix program to be piped in, I
> couldn't
> use DOSBox for this).
4 Feb
4 Feb
4:49 a.m.
On Tue, Feb 04, 2025 at 01:33:48AM -0600, Steve Lewis via cctalk wrote:
Beyond just the compiler, there are also optimization
and other settings
(like the multitude levels of C-compliance or how strict to be about
warnings, or conditional-builds to tailor it specific situations).
Regardless, proper binary deliveries come with CRC checksums. This isn't
Nitpick: Not CRC checksums, as those are only good to detect gross data
corruption (e.g. an entire page/sector being zeroed). The standard these
days is proper cryptographic hashes that are still known to be strong
(e.g. not MD5, as it is known to be weak and collisions can be generated,
but SHA256/SHA512) and the hashes cryptographically signed.
just to verify that you downloaded the file correctly,
but to also help
verify that you've used the exact same "Bill of software material" (SBOM),
versions of dependencies, and other settings to produce that same binary.
Reproducible builds is an issue by itself and requires careful attention
to the build systems. But it should be a base standard.
Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
9:21 a.m.
Nitpick: Not CRC checksums, as those are only good to detect gross data
Fair, "hash" would be the better term that I meant.
On Tue, Feb 4, 2025 at 7:00 AM Alexander Schreiber <als(a)thangorodrim.ch>
wrote:
> On Tue, Feb 04, 2025 at 01:33:48AM -0600, Steve Lewis via cctalk wrote:
> > Beyond just the compiler, there are also optimization and other settings
> > (like the multitude levels of C-compliance or how strict to be about
> > warnings, or conditional-builds to tailor it specific situations).
> >
> > Regardless, proper binary deliveries come with CRC checksums. This isn't
Nitpick: Not CRC checksums, as those are only good to detect gross data
> corruption (e.g. an entire page/sector being zeroed). The standard these
> days is proper cryptographic hashes that are still known to be strong
> (e.g. not MD5, as it is known to be weak and collisions can be generated,
> but SHA256/SHA512) and the hashes cryptographically signed.
>
> > just to verify that you downloaded the file correctly, but to also help
> > verify that you've used the exact same "Bill of software
material"
> (SBOM),
> > versions of dependencies, and other settings to produce that same binary.
>
> Reproducible builds is an issue by itself and requires careful attention
> to the build systems. But it should be a base standard.
>
> Kind regards,
> Alex.
> --
> "Opportunity is missed by most people because it is dressed in overalls and
> looks like work." -- Thomas A. Edison
>
11:09 a.m.
On Feb 4, 2025, at 6:49 AM, Alexander Schreiber via
cctalk <cctalk(a)classiccmp.org> wrote:
On Tue, Feb 04, 2025 at 01:33:48AM -0600, Steve Lewis via cctalk wrote:
Further nitpick. A CRC can do more than detect “only . . . gross data corruption.”
A properly designed CRC polynomial of length n should detect all errors
in a message block from a single-bit to a burst that is n bits long. A CRC
would be computed for each block of a message as opposed to a crypto-
graphic hash which is usually computed over the entire message.
—Milo
Beyond just the compiler, there are also
optimization and other settings
(like the multitude levels of C-compliance or how strict to be about
warnings, or conditional-builds to tailor it specific situations).
Regardless, proper binary deliveries come with CRC checksums. This isn't
Nitpick: Not CRC checksums, as those are only good to detect gross data
corruption (e.g. an entire page/sector being zeroed). The standard these
days is proper cryptographic hashes that are still known to be strong
(e.g. not MD5, as it is known to be weak and collisions can be generated,
but SHA256/SHA512) and the hashes cryptographically signed.
3 Feb
3 Feb
5:09 p.m.
On Feb 3, 2025, at 5:32 PM, Sean Conner via cctalk
<cctalk(a)classiccmp.org> wrote:
It was thus said that the Great ben via cctalk once stated:
You will have to evaluate the C compiler in question. The C Standard
covers not only the C language, but of a library as well, so your concerns
about bugs applies to both the compiler and the library that comes with it.
And it's not like there's just one C compiler everybody uses.
While a C99 compiler will work with K&R style code, and may very well
generate better code, there may still be issues because newer C compilers
take advantage of undefined behavior to optimize the code, to the degree
that once valid C code now exhibits bugs. For instance, this fragment of
code:
/* a and b are signed integers */
if (a + b < a) /* check for overflow */
handle_it();
may very well be removed because signed overflow in C is undefined, and by
definition (per the compiler writers) a programmer will never intentionally
invoke undefined bahavior, the code can be removed because it will never be
true (and this is current behavior! Really!).
In a great many cases, this isn't "code that once was valid C" but rather
code that always was invalid but in ways that old compilers did not catch or take
advantage of in optimization. There probably are some exceptions, given the evolving
standards.
There are various compiler warning options that are helpful for dealing with these errors,
so you're told that there's something wrong rather than the compiler just silently
doing things you probably didn't expect. I remember getting a lot of benefit out of
the GCC warnings about pointer aliasing -- the rule that T1 * and T2 * where T1 and T2 are
different types won't point to the same memory location.
paul
At the root of Open Source is you, the user, have the right to the
source code.
In the early days, that's as far as it went but especially after the
Morris Worm, security became very important, Open Source afforded
users the ability to inspect the code for vulnerabilities in ways that
you could not if all you had was the binaries.
But open source should have fixed versions, if possible.
Look at C compilers. I need a K&R C compiler for say 8088 build.
I might not want the latest C standard.
What version has the fewest bugs. 
2:39 p.m.
On Feb 3, 2025, at 14:09, ben via cctalk
<cctalk(a)classiccmp.org> wrote:
>
Open Source projects these days have short release cycles and are often abandoned for the
new hotness.
Part of my day job is supporting products that were developed years ago and are still
selling and are being updated now because a component in it has been EOL’ed and replaced
with a part the old kernel can’t handle. When I worked at Sun, code of this age was still
supported. However for the open source software used in this product even the upstream
repos and SDK tarballs are nowhere to be found on the internet.
alan
At the root of Open Source is you, the user, have
the right to the source code.
4
days inactive
5
days old
47 comments
18 participants
participants (18)
-
Alan Perry -
Alexander Schreiber -
ben -
Chuck Guzis -
David Wade -
Donald Whittemore -
Ethan Dicks -
Fred Cisin -
Milo Velimirović -
Paul Koning -
Scott Baker -
Sean Conner -
Steve Lewis -
Tony Jones -
Warner Losh -
Wayne S -
William Donzelli -
wrcooke@wrcooke.net