[bootstrappable] How to talk to skeptics?

Jeremiah at pdp10.guru Jeremiah at pdp10.guru
Wed Dec 14 23:00:49 UTC 2022

> We already fully trust the sources they release, and we already fully
> trust their binary compiler releases.
Well that assumption is 100% wrong.

Trusting source code is the wrong place to place trust.
And trusting binaries is just a bad idea in general.

But for the people who do choose to trust binaries, reproducible builds
is the only option you have to check if the source and the binaries

And even that comes with restrictions to make it semi-safe.

Think of Reproducible builds as condoms; used incorrectly it doesn't
protect you. But proper use reduces the risks you are exposed to if you
choose to trust binaries downloaded onto your system.

Then think of Bootstrappable builds as STD contract tracing; if none of
the people you have sex with has Herpes and you know everyone they had
sex with back until the dawn of time, there is no way for you to get
herpes from the actions you engage in, even if they aren't reproducible
(no condom used).

In an ideal world, we would be bootstrapping entirely from a seed we
ourselves make in a few hundred bytes toggled into memory. But we need
to be practical because other people will never choose to do that. So
choosing to make our work reproducible and having a clear bootstrapping
path, is a way of showing we care about others. Giving those engaging in
risky behaviors a better chance of not catching anything they don't want
or didn't opt into.

But that is just my biased (as fuck) view on this.


More information about the rb-general mailing list