I find it a bit weird how reflections on trusting trust is being forced into these discussions, almost like it's a solved problem. But it very much isn't, and existing distro toolchains are still very opaque.
Conversation
Notices
-
Embed this notice
Morten Linderud (foxboron@chaos.social)'s status on Thursday, 29-Feb-2024 11:52:03 JST 
Morten Linderud
-
Embed this notice
clacke (clacke@libranet.de)'s status on Thursday, 29-Feb-2024 11:52:01 JST 
clacke
@Foxboron @dch @mjg59 Trusting Trust is a "solved" problem for the general case. It's just hard work to solve it in each specific case, but bootstrappable NixOS and Guix are a thing now and solve 95% of it, while still relying on a machine with firrmware and Linux. But it doesn't even have to be a close to 100% solution for Trusting Trust to apply.
If you can give me human-readable and understandable source code that compiles under more than one independentently developed compiler, or under at least one free software compiler, that's already far better than a binary and "trust me, it does what I claim it does".
-
Embed this notice
Morten Linderud (foxboron@chaos.social)'s status on Thursday, 29-Feb-2024 19:10:43 JST
Morten Linderud
We don't have several independently developed compilers, so we are only getting weak proofs of DDC. We are still reliant on different versions of GCC.
https://reproducible-builds.org/news/2019/12/21/reproducible-bootstrap-of-mes-c-compiler/
NixOS isn't bootstrappable yet as it's a WIP, so only really Guix.
clacke likes this.
-
Embed this notice
All GNU social JP content and data are available under the