verifiable source-only bootstrap from scratch

Michael Schierl schierlm at gmx.de
Fri Mar 10 22:42:56 UTC 2023


Am 08.03.2023 um 07:21 schrieb ahojlm at 0w.se (ahojlm at 0w.se):
> Hello everyone,
>
> For a very short introduction:
>
> We seem to be the first project offering bootstrappable and verifiable
> builds without any binary seeds.

If I did not misunderstand you, with your definition of "without any
binary seeds" (i.e. it is sufficient that there are multiple independent
ways to build the seeds from available systems/software) other
bootstrappable projects are also "without any binary seeds".

For example, the stage0 project can be built with either
- minimal size binary seeds
- sed binary and xxd binary and a way to invoke them
- a POSIX shell that supports printf builtin
- a POSIX shell and printf binary

depending on which you trust most.

In particular, the bootstrap from stage0-posix (X86 Linux) up to gcc
4.9.4 can be performed starting from a source folder that only contains

- subdirectories (permissions 755)
- relative symbolic links
- UTF-8 text files (permissions 644) where each line is either a Form
   Feed or contains only
   "\a\t\x{0020}-\x{007E}\x{00A1}-\x{017F}\x{03b1}\x{2010}-\x{2026}"
   (obviously that regex could be made shorter at the cost of patching
   more source files)

and a way to execute xxd, chmod +x and chroot.

> We do not see any chance of achieving a fully verifiable bootstrap if
> it needs a trusted platform (hardware + tools to put the initial binary
> code, sources and scripts in memory). Even a hypothetically present
> suitable platform, say built from vacuum tubes made by oneself, would
> be insufficient. Hardly anyone else could duplicate the building effort,
> to be able to verify the result.
>
> On the other hand, if the results of a bootstrap converge for many
> independent parties on many different platforms, then attacks to subvert
> the verification become infeasible.

Fair point.

> Another, non-technical, consideration was the advantage of providing a
> bootstrap path without involving software with the GNU licenses, because
> they are too restrictive for certain uses or tastes.

Debatable. Preferring small software to large one definitely helps with
the auditing work. On the other hand, if at the end you want to run gcc
on Linux anyway..., you won't get around auditing it.

> [1] the site is available through the Tor/onion network

This seems like a strange decision. If you want to avoid hosting on the
clearnet, I think IPFS would have been the better choice, for its
guarantee that content is immutable once provided. Also IPFS files can
be easily linked from the clearnet if you desire.

I uploaded the website (start page) to
<https://ipfs.io/ipfs/QmT2Mo4pcCGSf3iJ6NnU8nFv7yEUiM8mU62ArWbcdikEVn>

And the archive to
<https://ipfs.io/ipfs/QmRzUbT3LqL8Q1tiMo3gg45PUSvABAbwDDxbRoKgtnpXtQ?filename=website.tar.gz>

Regardless whether you download from IPFS or from Tor, be careful as the
archive is a "tar-bomb", i.e. it extracts its content into the current
directory and not a subdirectory.


> (VSOBFS project has no affiliation with the Tor Project)


Nor do I with IPFS.


Regards,


Michael



More information about the rb-general mailing list