Debating Full Source Bootstrap

[ahojlm at 0w.se]

On Tue, Nov 14, 2023 at 03:00:29PM -0800, Vagrant Cascadian wrote:
> On 2023-11-14, ahojlm at 0w.se wrote:
> > On Tue, Nov 14, 2023 at 10:18:01AM -0800, Vagrant Cascadian wrote:
> >> On 2023-11-14, ahojlm at 0w.se wrote:
> > The result of VSOBFS does not depend on the host binaries used in
> > the process. You can freely replace them with ones of your choice,
> > as long as those are functional at all.
> 
> Not quite full agreement, apparently. Just because you can freely
> replace them does not mean to me that it is fully from source. It still
> depends on arbitrary toolchains outside of the source. That kind of just
> sounds like... bootstrapping.

I appreciate your friendly tone and the occasion to discuss
the topics related to reproducible builds and to VSOBFS.

At the same time, it is hard to appreciate that you continue with
persuasive definition of "dependency", superficially convenient to
discredit the VSOBFS in the contended priority claim.

Thus:

I challenge you to explain how the use (of an arbitrary implementation)
of a toolchain and of the other necessary tools affects the
certainty of *source-only-based* provenance of the result in VSOBFS.

> Though... what is really exciting is VSOBFS has the excellent property
> [...]
> truely, truely great!

Thanks. I am glad you find it useful.

> > sure about the source provenance of the resulting OS, regardless which
> > hard- and software you have used.
> 
> These are great properties! But... not what I would call a full source
> bootstrap. So perhaps we just disagree on terms. I would call VSOBFS

We do disagree on terms.

> something like "Diversely Verifiable Bootstrap" based on the description.

Please, Vagrant,

a redefinition of VSOBFS (which for a reason stands for *all* of
"Verifiable Source Only Bootstrap") feels like a hostile move
meant to undermine my priority position against Guix's offensive marketing.

I appreciate if you can avoid this, at least until you give a reasonable
answer to the challenge above.

> > the phrase
> > "something that had never been achieved, to our knowledge, since the
> > birth of Unix"
> > does not belong there in the Guix blog which started the controversy.
> >
> > This is what I kindly ask to correct.

(Among others, kindly asked Janneke himself, he was apparently
not available for comments)

> I sincely doubt that will get changed at this point by reiterating the
> same arguments

I do not intend to reiterate. All relevant has been said.

As for the blog fix, to remove the phrase would mean for Guix to admit
that the claim has been unwarranted. Whoever made it in bad faith[1]
has now a lot to lose by admitting the wrongdoing. I agree, this is not
going to happen.

> but you have definitely made your case, and I think the
> arguments have been heard and understood by many of the people involved,
> even if in the end some people choose to disagree.

I thank the community on this list for letting me present my view
and for the discussion of the goals and merits of different approaches
to trustable software provisioning, by source-based bootstrapping.

We have possibly also uncovered more of related projects,
(right now I see a message about ElectroBSD having arrived),
that's great.

> live well,
>   vagrant

Regards,
 an

[1] Janneke Nieuwenhuizen <janneke at gnu.org> has never addressed any of
my arguments and chose to never reply to any of my letters regarding the
blog entry in question. This does not look like anything but bad faith,
if you ask me.