Debating Full Source Bootstrap

ahojlm at 0w.se ahojlm at 0w.se
Thu Nov 16 08:39:25 UTC 2023 

On Wed, Nov 15, 2023 at 11:11:47AM -0800, Vagrant Cascadian wrote:
> On 2023-11-15, ahojlm at 0w.se wrote:
> > I challenge you to explain how the use (of an arbitrary implementation)
> > of a toolchain and of the other necessary tools affects the
> > certainty of *source-only-based* provenance of the result in VSOBFS.

> It certainly seems source-based, and it makes a strong correlation
> between the source and the resulting artifacts by getting to a
> bit-for-bit identical result from diverse paths.

You seem to be unaware of the fact that VSOBFS ensures equivalence between
the artifacts and the sources.

Calling equivalence "a strong correlation" can be mistaken for an attempt
to spread FUD. This would be very unfortunate, wouldn't it?

> Source only? Sure!
> Verifyable so? Sure!
> Full source? *shrug*

You still did not answer the question, so let me repeat:

how the use (of an arbitrary implementation)
of a toolchain and of the other necessary tools affects the
certainty of *source-only-based* provenance of the result in VSOBFS?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

My answer:   does not affect in any way.
Your answer: ?

> I also note, that presumably using a guix or live-bootstrap based
> toolchain as one of the possible diverse implementations for VSOBFS,
> makes an even stronger correlation. That is the beauty of diverse

> These projects can be used to make even stronger claims than any
> individual project could alone.

Your reasoning is based on an incorrect premise that VSOBFS would
lack some of its crucial key virtues. This can only indicate that
you did not get sufficient information (I can hardly think of any
other reason?).

Guix can not become "a foundation for" or "an implementation of VSOBFS",
because the very concept of VSOBFS is to be its own complete foundation,
usable with a wide set of starting points.

If Guix would redo its bootstrapping and rely instead on diverse multiple
boostrap like VSOBFS, then the order would be inverse - the VSOBFS
concept would become a foundation for Guix. You happened (*of course
inadvertently*) to reverse the relation.

Let me provide some basic facts:

1. VSOBFS yields the byte-for-byte identical result, irrespective of
the host platform used to start from. This reflects the equivalence
to the source, not a "correlation".

The needed diversity is provided by the available Posix-like starting
points (274 active distributions according to distrowatch.com, then
proprietary Unices and alikes on top of it. Guix is included there and
stands for about 0.36% of the diversity among OSS-distributions. Of
course, let us give it credit for that).

2. VSOBFS is a full-strength solution.

Talking about "stronger correlation" and "stronger claims" can presumably
only stem from your insufficient familiarity with the matter. Otherwise
it could even look like an insistent continuation of FUD. Nice that we
have avoided such an uncomfortable interpretation.

> > a redefinition of VSOBFS (which for a reason stands for *all* of
> > "Verifiable Source Only Bootstrap") feels like a hostile move
> > meant to undermine my priority position against Guix's offensive marketing.

> There was simply no hostility intended, apologies.

Apologies accepted.

Have a nice day,
 an

More information about the rb-general mailing list