Trusting trust

So how likely is it that there are hidden trojan horse-like vulnerabilities in common open source software that we haven't noticed? How valuable is the idea that we should start over and build our systems the right way to prevent that possibility at every step?

>>2
Yeah but if it was built into the binary to replicate itself without tainted source, e.g. through a compiler, it would be much harder to notice.

This is probably not the only solution, but I think you'd have to compile one compiler with two different compilers, then use each different compiled compiler to detect differences between compiled binaries in their outputs.

e.g.
Compiler A 2.0 (compiled by Compiler A 1.9) is tained
to verify this, you'd have to compile a second version of Compiler A 2.0 (call it Compiler AB 2.0, with Compiler B (which has either no vulnerabilities, or sufficiently different ones).

Then you'd compile Compiler A 2.0 again with both Compiler A 2.0, and Compiler AB 2.0. If the binaries are different, you could be reasonably sure that Compiler A isn't tainted, or that A and B are tainted in the same way.