Hi all, Obviously, I verify signature of source code that I use to compile GCC from, but I don't/cannot verify the authenticity of the compiler at all that will do it. It's entirely possible that the compiler I currently use and will use for compiling GCC is evil and compiles some extra, malicious code into my freshly compiled compiler (too). The only feasible solution I can think about is a bloodline of compilers in which a newer version was always compiled from a previous, trusted one… and the first one is simple enough to be verified by a human. Am I too paranoid? Is it a possible threat? -- zsugabubus
