[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
15/66: ccs-2021: Typos, hyphenation, and other improvements.
From: |
Ludovic Courtès |
Subject: |
15/66: ccs-2021: Typos, hyphenation, and other improvements. |
Date: |
Wed, 29 Jun 2022 11:31:58 -0400 (EDT) |
civodul pushed a commit to branch master
in repository maintenance.
commit 0856eac1e32df378884b828788678467c4fc90af
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Thu May 6 10:34:32 2021 +0200
ccs-2021: Typos, hyphenation, and other improvements.
Reported by Jan Nieuwenhuizen <janneke@gnu.org>.
---
doc/ccs-2021/security.sbib | 7 ++++++
doc/ccs-2021/supply-chain.skb | 55 ++++++++++++++++++++++++++++---------------
2 files changed, 43 insertions(+), 19 deletions(-)
diff --git a/doc/ccs-2021/security.sbib b/doc/ccs-2021/security.sbib
index dbcfb8e..8ef6c95 100644
--- a/doc/ccs-2021/security.sbib
+++ b/doc/ccs-2021/security.sbib
@@ -86,6 +86,13 @@
(month "June")
(url
"https://guix.gnu.org/en/blog/2020/guix-further-reduces-bootstrap-seed-to-25/"))
+(misc janneke2021:full-source-bootstrap
+ (url "https://fosdem.org/2021/schedule/event/gnumes/")
+ (title "GNU Mes — the Full Source Bootstrap")
+ (author "Jan Nieuwenhuizen")
+ (year "2021")
+ (month "February"))
+
(article thompson1984:trusting-trust
(author "Ken Thompson")
(title "Reflections on Trusting Trust")
diff --git a/doc/ccs-2021/supply-chain.skb b/doc/ccs-2021/supply-chain.skb
index a564000..685a725 100644
--- a/doc/ccs-2021/supply-chain.skb
+++ b/doc/ccs-2021/supply-chain.skb
@@ -37,9 +37,22 @@
(symbol "=>"))
;; XXX: Terrible hack to turn hyphens into hyphenation points in 'tt'.
-(set! (@@ (skribilo engine latex) latex-tt-encoding)
- `((#\- "-\\-")
- ,@(@@ (skribilo engine latex) latex-tt-encoding)))
+(define latex-tt-encoding
+ `((#\- "-\\-")
+ (#\h "h\\-") ;“authorizations”, “authenticate”
+ ,@(@@ (skribilo engine latex) latex-tt-encoding)))
+
+(markup-writer 'tt (find-engine 'latex)
+ :before "{\\texttt{"
+ :action (lambda (n e)
+ (let ((ne (make-engine
+ (gensym "latex")
+ :delegate e
+ :filter (make-string-replace latex-tt-encoding)
+ :custom (engine-customs e)
+ :symbol-table (engine-symbol-table e))))
+ (output (markup-body n) ne)))
+ :after "}}")
;; For pdflatex.
(engine-custom-set! (find-engine 'latex) 'image-format '("pdf"))
@@ -62,6 +75,9 @@
;; typeset inside teletype text.
"\\DeclareUnicodeCharacter{2026}{\\textrm{\\ldots}}\n"
+ ;; Improve hyphenation.
+ "\\hyphenation{Open-PGP}\n"
+
"\
%% \\fancyhf{} % Remove fancy page headers
%% \\fancyhead[C]{Anonymous submission \\#9999 to ACM CCS 2021} % TODO:
replace 9999 with your paper number
@@ -302,17 +318,17 @@ already available. Likewise, ,(tt [guix challenge
hello]) compares
binaries of the ,(tt [hello]) package available locally with those
provided by one or several substitute servers.])
(p [Are reproducible builds enough to guarantee that one can
-verify source-to-binary mappings? In his Turing Award acceptance speech
-,(ref :bib 'thompson1984:trusting-trust), Ken Thompson described a
-scenario whereby a legitimate-looking build process would produce a
-malicious binary—if that build process is reproducible, it just
-reproducibly build a malicious binary. The attack Thompson described,
-often referred to as a “Trusting Trust attack”, consists in targeting
-the compilation toolchain, typically by modifying the compiler such that
-it emits malicious code when it recognizes specific patterns of source
-code. This attack can be undetectable. What makes such attacks
-possible is that users and distributions rely on opaque binaries at some
-level to “bootstrap” the entire package dependency graph.])
+verify source-to-binary mappings? In his Turing Award acceptance
+speech, Ken Thompson described a scenario whereby a legitimate-looking
+build process would produce a malicious binary ,(ref :bib
+'thompson1984:trusting-trust). If that build process is reproducible,
+it just reproducibly builds a malicious binary. The attack Thompson
+described, often referred to as a “Trusting Trust attack”, consists in
+targeting the compilation toolchain, typically by modifying the compiler
+such that it emits malicious code when it recognizes specific patterns
+of source code. This attack can be undetectable. What makes such
+attacks possible is that users and distributions rely on opaque binaries
+at some level to “bootstrap” the entire package dependency graph.])
(p [In 2017, Jan Nieuwenhuizen ,(it [et al.]) sought to address
this forty-year-old problem at its root: by ensuring no opaque binaries
appear in the package dependency graph—no less ,(ref :bib
@@ -324,9 +340,10 @@ at the root of the Guix package graph, well below what had
been achieved
so far ,(ref :bib 'janneke2020:bootstrap). While many considered it
unrealistic a few years earlier, the initial goal of building ,(emph
[everything]) from source, starting from a small core and incrementally
-building more complex pieces of software, is now within reach. This has
-the potential to thwart an entire class of software supply chain attacks
-that has been known but left unaddressed for forty years.]))
+building more complex pieces of software, is now within reach ,(ref :bib
+'janneke2021:full-source-bootstrap). This has the potential to thwart
+an entire class of software supply chain attacks that has been known but
+left unaddressed for forty years.]))
(chapter :title [Rationale] :ident "rationale"
@@ -360,7 +377,7 @@ pull]).])
run malicious code. An attacker could trick the user into connecting to
an alternate repository that contains malicious code or definitions for
backdoored packages. This is made more difficult by the fact that code
-is fetched over HTTPS by default, which allows clients to authenticates
+is fetched over HTTPS by default, which allows clients to authenticate
the server they are connecting to. However, server authentication is of
no use when the server hosting the repository is compromised, as
happened to GNU’s Savannah in 2010 ,(ref :bib 'fsf2010:compromise).])
@@ -788,7 +805,7 @@ themselves authenticating hundreds of commits when running
,(tt [guix
pull]). The implementation must be able to perform well.])
(p [At the algorithmic level, the main optimization is to
-consider than, if a commit has been authenticated, then all the commits
+consider that, if a commit has been authenticated, then all the commits
in its transitive closure are automatically considered authentic and do
not need to be checked. This optimization stems from the fact that the
commit graph has integrity properties similar to that of a Merkle-style
- 25/66: icse-2022: Final (?) tweaks., (continued)
- 25/66: icse-2022: Final (?) tweaks., Ludovic Courtès, 2022/06/29
- 04/66: ccs-2021: Tweak "related work", add proper references., Ludovic Courtès, 2022/06/29
- 09/66: ccs-2021: Write conclusion., Ludovic Courtès, 2022/06/29
- 21/66: icse-2022: Link to "Git Cryptography Protocol"., Ludovic Courtès, 2022/06/29
- 29/66: programming-2022: Adjust to <Programming> style., Ludovic Courtès, 2022/06/29
- 31/66: programming-2022: Expand "Related Work"., Ludovic Courtès, 2022/06/29
- 32/66: programming-2022: Use a monospace font for code snippets., Ludovic Courtès, 2022/06/29
- 08/66: ccs-2021: Capitalize section titles., Ludovic Courtès, 2022/06/29
- 10/66: ccs-2021: Improve "Rationale" section., Ludovic Courtès, 2022/06/29
- 13/66: ccs-2021: Proof-read and tweak., Ludovic Courtès, 2022/06/29
- 15/66: ccs-2021: Typos, hyphenation, and other improvements.,
Ludovic Courtès <=
- 14/66: ccs-2021: Update ACM categories., Ludovic Courtès, 2022/06/29
- 16/66: ccs-2021: Tweak "Related Work"., Ludovic Courtès, 2022/06/29
- 17/66: ccs-2021: Give example authentication throughput., Ludovic Courtès, 2022/06/29
- 18/66: ccs-2021: Prepare for ICSE resubmission., Ludovic Courtès, 2022/06/29
- 19/66: icse-2022: Add CCS reviews., Ludovic Courtès, 2022/06/29
- 20/66: icse-2022: Mention sigstore., Ludovic Courtès, 2022/06/29
- 35/66: programming-2022: Mention prior work upfront in the intro., Ludovic Courtès, 2022/06/29
- 36/66: programming-2022: Clarify intro commits and downgrade protection., Ludovic Courtès, 2022/06/29
- 44/66: cise-2022: Remove unused procedures., Ludovic Courtès, 2022/06/29
- 45/66: programming-2022: Add diff document., Ludovic Courtès, 2022/06/29