"No amount of source-level verification or scrutiny will protect you from using untrusted code"
About this Quote
Thompson’s line lands like a shrug from someone who helped invent the modern computing world and then watched it grow a soft underbelly. It isn’t anti-testing cynicism so much as a cold statement about where trust actually lives in software: not in your diligence, but in the layers you can’t realistically audit. “Source-level verification” is the comforting ritual of engineers who believe the truth is on the page. Thompson points out the trap: the page is not the program.
The context is his famous “Trusting Trust” argument, where he describes a compiler that can be maliciously modified to insert a backdoor into compiled binaries while leaving the source code pristine. Even if you pore over the application’s source and the compiler’s source, a compromised compiler can re-infect its own future builds. Scrutiny becomes theatre, because the system that translates scrutiny into reality is itself the attack surface.
The subtext is an early warning about supply-chain security before we had the vocabulary for it: dependencies, build pipelines, signed artifacts, reproducible builds. He’s describing a recursion of trust - you can’t prove a tool is honest using the tool’s own outputs. It’s epistemology with shell scripts.
Why it works is its absolutism. “No amount” is a dare, a refusal to let readers retreat into “best practices” as moral cover. Thompson isn’t saying verification is useless; he’s saying it’s insufficient against adversaries who target the invisible seams. The only protection is replacing naive trust with engineered trust: diverse compilation, independent toolchains, verifiable builds, and a sober acceptance that software is, always, a social system with technical consequences.
The context is his famous “Trusting Trust” argument, where he describes a compiler that can be maliciously modified to insert a backdoor into compiled binaries while leaving the source code pristine. Even if you pore over the application’s source and the compiler’s source, a compromised compiler can re-infect its own future builds. Scrutiny becomes theatre, because the system that translates scrutiny into reality is itself the attack surface.
The subtext is an early warning about supply-chain security before we had the vocabulary for it: dependencies, build pipelines, signed artifacts, reproducible builds. He’s describing a recursion of trust - you can’t prove a tool is honest using the tool’s own outputs. It’s epistemology with shell scripts.
Why it works is its absolutism. “No amount” is a dare, a refusal to let readers retreat into “best practices” as moral cover. Thompson isn’t saying verification is useless; he’s saying it’s insufficient against adversaries who target the invisible seams. The only protection is replacing naive trust with engineered trust: diverse compilation, independent toolchains, verifiable builds, and a sober acceptance that software is, always, a social system with technical consequences.
Quote Details
| Topic | Privacy & Cybersecurity |
|---|---|
| Source | Ken Thompson, "Reflections on Trusting Trust" (Turing Award lecture/paper), Communications of the ACM, 1984. |
More Quotes by Ken
Add to List
