GNU Mes 0.24 released
Sébastien Lerique
sl at eauchat.org
Sun May 8 13:55:41 UTC 2022
Amazing indeed!
On 07 May 2022 at 16:11, Larry Doolittle <larry at doolittle.boa.org> wrote:
>> The common objection is: “you’re building from source but you’re not
>> gonna audit all that source code anyway, so why bother?” [...]
>> Supply chain security is a spectrum and I think this achievement changes
>> what we can expect and demand.
>
> I've had this conversation before, any my analogy is to the
> three legs of a stool. Bootstrapped toolchains, reproducible builds,
> and source-code audits. Each one is arguably useless without the others,
> but taken together, you've actually accomplished something meaningful.
> Maybe I should also include "cryptographically signed artifact distribution"
> on that list.
>
In a similar line, Bunnie Huang gave an interesting talk about the
hardware trust level a few years ago [0], which led to the Precursor
project [1,2].
Cheers,
Sébastien
[0] https://media.ccc.de/v/36c3-10690-open_source_is_insufficient_to_solve_trust_problems_in_hardware
[1] https://www.crowdsupply.com/sutajio-kosagi/precursor
[2] https://www.bunniestudios.com/blog/?p=5979
More information about the rb-general
mailing list