Author: Chris Angelico
Created at: 2025-11-17 22:11
Number: 37
Clean content: James Webber: Is any language really safe from this? Surely gcc alone is a hugely valuable target for such an attack–how do we know it hasn’t happened? Heck, how do we know it hasn’t happened in CPython ? The biggest protection is having multiple compilers. Do you want to make sure your gcc hasn’t been infected? Download the source code for gcc, and compile it using clang. This could also be affected, but only if someone has infected BOTH compilers. The more diffferent options there are, the less of a threat this is. The threat is, by definition, only relevant to compiled languages that compile their own compilers. It’s inherent in the bootstrapping. So this can’t happen in CPython as it currently is, unless there’s some way that Python code is being used to generate future versions of the CPython binary, in a way that’s independent of the source code (eg Argument Clinic can’t be that, because the output is right there for everyone to see).
