[Git][reproducible-builds/reproducible-website][master] Misc updates.

Chris Lamb (@lamby) gitlab at salsa.debian.org
Mon May 16 16:29:36 UTC 2022



Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
a2328750 by Chris Lamb at 2022-05-16T09:29:28-07:00
Misc updates.

- - - - -


1 changed file:

- _posts/2022-05-13-jan-nieuwenhuizen-on-bootrappable-builds-gnu-mes-and-gnu-guix.md


Changes:

=====================================
_posts/2022-05-13-jan-nieuwenhuizen-on-bootrappable-builds-gnu-mes-and-gnu-guix.md
=====================================
@@ -8,6 +8,8 @@ draft: true
 
 <big>The Reproducible Builds project relies on [several projects, supporters and sponsors]({{ "/who/" | relative_url }}) for financial support, but they are also valued as ambassadors who spread the word about our project and the work that we do.</big>
 
+[![]({{ "/images/news/supporter-spotlight-janneke/janneke.jpeg?#right" | relative_url }})](https://janneke.lilypond.org/)
+
 This is the fourth instalment in a series featuring the projects, companies and individuals who support the Reproducible Builds project. If you are a supporter of the Reproducible Builds project (of whatever size) and would like to be featured here, please let get in touch with us at [contact at reproducible-builds.org](mailto:contact at reproducible-builds.org).
 
 We started this series by [featuring the Civil Infrastructure Platform]({{ "/news/2020/10/21/supporter-spotlight-cip-project/" | relative_url }}) project and followed this up with a [post about the Ford Foundation]({{ "/news/2021/04/06/supporter-spotlight-ford-foundation/" | relative_url }}) as well as a [recent one about ARDC]({{ "/news/2022/04/14/supporter-spotlight-ardc/" | relative_url }}) and with the [Google Open Source Security Team (GOSST)](https://security.googleblog.com/). Today, however, we will be talking with **Jan Nieuwenhuizen** on **Bootstrappable Builds, GNU Mes and GNU Guix**.
@@ -16,13 +18,11 @@ We started this series by [featuring the Civil Infrastructure Platform]({{ "/new
 
 **Chris Lamb: Hi Jan, thanks for taking the time to talk with us today. First, could you briefly tell me about yourself?**
 
-[![]({{ "/images/news/supporter-spotlight-janneke/janneke.jpeg?#right" | relative_url }})](https://janneke.lilypond.org/)
-
 Jan: Thanks for the chat; it's been a while! Well, I've always been trying to find something new and interesting that is just asking to be created but is mostly being overlooked. That's how I came to work on [GNU Guix](https://guix.gnu.org/) and create [GNU Mes](https://www.gnu.org/software/mes/) to address the bootstrapping problem that we have in free software. It's also why I have been working on releasing [Dezyne](https://dezyne.org), a programming language and set of tools to specify and formally verify concurrent software systems as free software.
 
-Briefly summarised, compilers are often written in the language they are compiling. This creates a chicken-and-egg problem which leads users and distributors to rely on opaque, pre-built binaries of those compilers that they use to build newer versions of the compiler. To gain trust in our computing platforms, we need to be able to tell how each part was produced from source, and opaque binaries are a threat to user security and user freedom since they are not auditable. The goal of bootstrappability (and the [bootstrappable.org](https://bootstrappable.org/) project in particular) is to minimize the amount of these "bootstrap" binaries.
+Briefly summarised, compilers are often written in the language they are compiling. This creates a chicken-and-egg problem which leads users and distributors to rely on opaque, pre-built binaries of those compilers that they use to build newer versions of the compiler. To gain trust in our computing platforms, we need to be able to tell how each part was produced from source, and opaque binaries are a threat to user security and user freedom since they are not auditable. The goal of bootstrappability (and the [bootstrappable.org](https://bootstrappable.org/) project in particular) is to minimise the amount of these "bootstrap" binaries.
 
-Anyway, after studying Physics at Eindhoven University of Technology (TU/e), I worked for [digicash.com](https://en.wikipedia.org/wiki/DigiCash), a startup trying to create a digital and anonymous payment system -- sadly, however, a traditional account-based system won. Separate to this, as there was no software (either free or proprietary) to automatically create beautiful music notation, together with Han-Wen Nienhuys, I created [GNU LilyPond](https://lilypond.org/). Ten years ago, I took the initiative to [co-found a democratic school](https://doe040.nl) based on [sociocracy](https://en.wikipedia.org/wiki/Sociocracy) in Eindhoven: And last Christmas, I finally went vegan, after being mostly vegetarian for about 20 years.
+Anyway, after studying Physics at Eindhoven University of Technology (TU/e), I worked for [digicash.com](https://en.wikipedia.org/wiki/DigiCash), a startup trying to create a digital and anonymous payment system -- sadly, however, a traditional account-based system won. Separate to this, as there was no software (either free or proprietary) to automatically create beautiful music notation, together with Han-Wen Nienhuys, I created [GNU LilyPond](https://lilypond.org/). Ten years ago, I took the initiative to [co-found a democratic school](https://doe040.nl) in Eindhoven based on the principles of [sociocracy](https://en.wikipedia.org/wiki/Sociocracy). And last Christmas I finally went vegan, after being mostly vegetarian for about 20 years!
 
 <br>
 
@@ -50,13 +50,13 @@ Jan: Mes supports all that is needed from '[R5RS](https://schemers.org/Documents
 
 In working to create a full-source bootstrap, I have disregarded the kernel and Guix build system for now, but otherwise, all packages should be built from source, and obviously, no binary blobs should go in. We still need a Guile binary to execute some scripts, and it will take at least another one to two years to remove that binary. I'm using the 80/20 approach, cutting corners initially to get something working and useful early.
 
-Another metric would be how many architectures we have. We are quite a way with ARM, tinycc now works, but there are still problems with GCC and Glibc. RISC-V is coming, too, which could be another metric. Someone has looked into picking up NixOS this summer. "How many distros do anything about reproducibility or bootstrappability?" The bootstrappability community is so small that we don't 'need' metrics, sadly. The number of bytes of binary seed is a nice metric, but running the whole thing on a full-fledged Linux system is tough to put into a metric. Also it is worth noting that I'm developing on a modern Intel machine (ie. a platform with a [management engine](https://en.wikipedia.org/wiki/Intel_Management_Engine)), that's another key component that doesn't have metrics.
+Another metric would be how many architectures we have. We are quite a way with ARM, tinycc now works, but there are still problems with GCC and Glibc. RISC-V is coming, too, which could be another metric. Someone has looked into picking up NixOS this summer. "How many distros do anything about reproducibility or bootstrappability?" The bootstrappability community is so small that we don't 'need' metrics, sadly. The number of bytes of binary seed is a nice metric, but running the whole thing on a full-fledged Linux system is tough to put into a metric. Also, it is worth noting that I'm developing on a modern Intel machine (ie. a platform with a [management engine](https://en.wikipedia.org/wiki/Intel_Management_Engine)), that's another key component that doesn't have metrics.
 
 <br>
 
 **Chris: From your perspective as a Mes/Guix user and developer, what does 'reproducibility' mean to you? Are there any related projects?**
 
-Jan: From my perspective, I'm more into the problem of bootstrapping, and reproducibility is a prerequisite for bootstrappability. Reproducibility clearly takes a lot of effort to achieve, however. It's relatively easy to install some Linux distribution and be happy, but if you look at communities that really care about security, they are investing in reproducibility and other ways of improving the security of their supply chain. Projects I believe are complementary to Guix and Mes include [NixOS](https://nixos.org/), [Debian](https://debian.org/) and, on the hardware side, the [RISC-V](https://en.wikipedia.org/wiki/RISC-V) platform shares many of our core principles and goals.
+Jan: From my perspective, I'm more into the problem of bootstrapping, and reproducibility is a prerequisite for bootstrappability. Reproducibility clearly takes a lot of effort to achieve, however. It's relatively easy to install some Linux distribution and be happy, but if you look at communities that really care about security, they are investing in reproducibility and other ways of improving the security of their supply chain. Projects I believe are complementary to Guix and Mes include [NixOS](https://nixos.org/), [Debian](https://debian.org/) and — on the hardware side — the [RISC-V](https://en.wikipedia.org/wiki/RISC-V) platform shares many of our core principles and goals.
 
 <br>
 
@@ -76,13 +76,15 @@ Jan: The "ultimate" goal would be to have a system built with open hardware, wit
 
 Our biggest challenge is ignorance. There is much unawareness about the importance of what we are doing. As it is rather technical and doesn't really affect everyday computer use, that is not surprising. This unawareness can be a great force driving us in the opposite direction. Think of Rust being allowed in the Linux kernel, or Python being required to build a recent [GNU C library (glibc)](https://www.gnu.org/software/libc/). Also, the fact that companies like Google/Apple still want to play "us" vs "them", not willing to to support GPL software. Not ready yet to truly support user freedom.
 
-Take the infamous [log4j bug](https://en.wikipedia.org/wiki/Log4Shell) — everyone is using "open source" these days, but nobody wants to take responsibility and help develop or nurture the community. Not "ecosystem", as that's how it's being approached right now: live and let live/die: see what happens without taking any responsibility. We are growing and we are strong and we can do a lot, but if we have to work against those powers, it can become problematic. So, let's spread our great message and get more people involved!
+Take the infamous [log4j bug](https://en.wikipedia.org/wiki/Log4Shell) — everyone is using "open source" these days, but nobody wants to take responsibility and help develop or nurture the community. Not "ecosystem", as that's how it's being approached right now: live and let live/die: see what happens without taking any responsibility. We are growing and we are strong and we can do a lot... but if we have to work against those powers, it can become problematic. So, let's spread our great message and get more people involved!
 
 <br>
 
-**Chris: What would be your biggest win?**
+**Chris: What has been your biggest win?**
+
+Jan: From a technical point of view, the ["full-source" bootstrap](https://issues.guix.gnu.org/55227) has have been our biggest win. A talk by Carl Dong at the 2019 [Breaking Bitcoin](https://breaking-bitcoin.com/) conference stated that connecting [Jeremiah Orian's Stage0 project](https://savannah.nongnu.org/projects/stage0) to Mes would be the "holy grail" of bootstrapping, and we recently managed to achieve just that: in other words, starting from `hex0`, 357-byte binary, we can now build the entire Guix system.
 
-Jan: From a technical point of view the full-source bootstrap is our biggest win. A talk by Carl Dong at the 2019 [Breaking Bitcoin](https://breaking-bitcoin.com/) conference stated that connecting [Jeremiah Orian's Stage0 project](https://savannah.nongnu.org/projects/stage0) to Mes would be the holy grail of bootstrapping, and we just managed to achieve that. In other words, starting from `hex0`, 357-byte binary, we can now build the entire Guix system. This past year we made not so much visible progress as the funding was, unfortunately, not there. The Stage 0 project has advanced in RISC-V. A month ago, however, I secured [NLnet](https://nlnet.nl/) funding for another year (with two possible extensions), and thanks to NLnet now also Ekaitz Zarraga and Timothy Sample will work on GNU Mes and the Guix bootstrap, and possibly on the RISC-V port. The bootstrappable community has grown a lot from two people it was six years ago: there are currently over 100 people in the `#bootstrappable` IRC channel. That's possibly an even more important win!
+This past year we have not made significant *visible* progress, however, as our funding was unfortunately not there. The Stage0 project has advanced in RISC-V. A month ago, though, I secured [NLnet](https://nlnet.nl/) funding for another year, and thanks to NLnet, Ekaitz Zarraga and Timothy Sample will work on GNU Mes and the Guix bootstrap as well. Separate to this, the bootstrappable community has grown a lot from two people it was six years ago: there are now currently over 100 people in the `#bootstrappable` IRC channel, for example. The enlarged community is possibly an even more important win going forward.
 
 <br>
 
@@ -100,8 +102,8 @@ The core issue is not the trust; we can probably all trust each other. On the ot
 
 Jan: Sure! First, check out:
 
-* The [GNU Mes homepage](https://gnu.org/s/mes)
-* The [Bootstrappable.org](https://bootstrappable.org) project (also on `irc.libera.chat` in the `#bootstrappable` channel)
+* The [GNU Mes homepage](https://gnu.org/s/mes).
+* The [Bootstrappable.org](https://bootstrappable.org) project (also on `irc.libera.chat` in the `#bootstrappable` channel).
 * Our latest talk on GNU Mes from [FOSDEM '21](https://archive.fosdem.org/2021/) is [available online](https://archive.fosdem.org/2021/schedule/event/gnumes).
 * The [GNU Guix](https://guix.gnu.org) homepage and various [blog posts about reproducible builds and bootstrapping in GNU Guix](https://guix.gnu.org/en/blog/tags/bootstrapping).
 * A page describing [our funding by NLnet](hhttps://nlnet.nl/project/GNUMes-ARM_RISC-V).



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/a2328750e17e8972084cd04e14c7a5dc5c352b99

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/a2328750e17e8972084cd04e14c7a5dc5c352b99
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20220516/fed5ba38/attachment.htm>


More information about the rb-commits mailing list