GNU Mes 0.24 released
Thiago Jung Bauermann
bauermann at kolabnow.com
Mon May 9 00:03:33 UTC 2022
Hello,
Ludovic Courtès <ludo at gnu.org> writes:
> Jan Nieuwenhuizen <janneke at gnu.org> skribis:
>
>> Mes has now been ported to M2-Planet and can be bootstrapped using
>> stage0-posix[0], starting from the 357-byte hex0 binary of the
>> bootstrap-seeds[1], as was promised at FOSDEM'21[2].
>
> This is amazing… congrats to you & everyone involved! You made it! :-)
>
> The ability to build literally everything from source, with reproducible
> builds, is a game changer IMO when it comes to supply chain security.
Indeed, this is awesome!
> The common objection is: “you’re building from source but you’re not
> gonna audit all that source code anyway, so why bother?” I think it’s
> akin to security by obscurity. That we collectively can and do fiddle
> with all this code makes a practical difference; that this is all
> transparent means that backdoors become harder to hide.
I saw a project a while ago with an interesting approach that looks very
interesting for tackling this problem: crowd-sourced, social code
review:
https://github.com/crev-dev/crev
If many people review a piece of code and there's a system to record
those reviews, then it's possible to get a metric that is proportional
to the trustworthiness of said code.
It's a big task, but for unchanging code bases (such as the bootstrap
chain), it's a finite amount of work...
--
Thanks
Thiago
More information about the rb-general
mailing list