Debating Full Source Bootstrap

Vagrant Cascadian vagrant at reproducible-builds.org
Thu Nov 16 19:43:40 UTC 2023 

On 2023-11-16, ahojlm at 0w.se wrote:
> On Wed, Nov 15, 2023 at 11:11:47AM -0800, Vagrant Cascadian wrote:
>> On 2023-11-15, ahojlm at 0w.se wrote:
>> > I challenge you to explain how the use (of an arbitrary implementation)
>> > of a toolchain and of the other necessary tools affects the
>> > certainty of *source-only-based* provenance of the result in VSOBFS.
>
>> It certainly seems source-based, and it makes a strong correlation
>> between the source and the resulting artifacts by getting to a
>> bit-for-bit identical result from diverse paths.
>
> You seem to be unaware of the fact that VSOBFS ensures equivalence between
> the artifacts and the sources.

I am operating under the assumption (based on what you have said, as I
have not personally verified it) that VSOBFS provides bit-for-bit
identical artifacts built from a given source, with an arbitrary set of
toolchain implementations on a variety of OSes.

Which is to say, no, I am not unaware of this...

It is exactly why I have been praising VSOBFS. It combines aspects of
reproducible builds, diverse-double compiling, and bootstrapping to
provide this "equivalence between the artifacts and the sources" with
what I would call a very high degree of confidence.


> Calling equivalence "a strong correlation" can be mistaken for an attempt
> to spread FUD. This would be very unfortunate, wouldn't it?

It is most unfortunate that you appear to be inferring that from what I
said.


>> Source only? Sure!
>> Verifyable so? Sure!
>> Full source? *shrug*
>
> You still did not answer the question, so let me repeat:
>
> how the use (of an arbitrary implementation)
> of a toolchain and of the other necessary tools affects the
> certainty of *source-only-based* provenance of the result in VSOBFS?
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> My answer:   does not affect in any way.
> Your answer: ?

I did not refute what you are saying because I did not disagree with it.
I agree, based on what you are saying VSOBFS does, that it provides a
very strong degree of certainty that the sources are what is used to
produce bit-for-bit identical artifacts regardless of toolchain. With my
reproducible builds hat on, that is something to cheer on!

I simply do not agree that VSOBFS is a Full Source Bootstrap, as
mentioned in the article that seemed to evoke such a strong response.

Both the Guix Full Source Bootstrap and VSOBFS provide an auditability
path from source to binary artifacts with very strong confidence. This
is not a zero-sum game.


>> I also note, that presumably using a guix or live-bootstrap based
>> toolchain as one of the possible diverse implementations for VSOBFS,
>> makes an even stronger correlation. That is the beauty of diverse
>
>> These projects can be used to make even stronger claims than any
>> individual project could alone.
>
> Your reasoning is based on an incorrect premise that VSOBFS would
> lack some of its crucial key virtues. This can only indicate that
> you did not get sufficient information (I can hardly think of any
> other reason?).

Not at all! I made no claim that it lacks any "crucial key virtues".


> Guix can not become "a foundation for" or "an implementation of VSOBFS",
> because the very concept of VSOBFS is to be its own complete foundation,
> usable with a wide set of starting points.

You can take an arbitrary C toolchain, yes? By using the C toolchain
that Guix or live-bootstrap provide to build VSOBFS as one of the
possible C toolchains, as part of the set of starting points, you get
the benefits of VSOBFS as well as the guix/live-bootstrap projects.

VSOBFS strength does not rely on the auditability of the potential set
of diverse starting points, but surely it is more ideal if some of the
starting points are themselves more auditable?


> Let me provide some basic facts:
>
> 1. VSOBFS yields the byte-for-byte identical result, irrespective of
> the host platform used to start from. This reflects the equivalence
> to the source, not a "correlation".

I do not believe anything is infallible, and so I typically try to speak
in terms of degree of confidence. So to me it is a strong correlation,
or strong confidence of equivalence if you prefer, not an absolute
proof.

This certainly makes me terrible at marketing.


> 2. VSOBFS is a full-strength solution.
>
> Talking about "stronger correlation" and "stronger claims" can presumably
> only stem from your insufficient familiarity with the matter.

Again, I speak in terms of confidence and stronger claims, not
absolutes.


> Otherwise it could even look like an insistent continuation of
> FUD. Nice that we have avoided such an uncomfortable interpretation.

I praise VSOBFS for an impressive technical feat.

I lament the way in which the advocate carries on; I unfortunately do
not forsee value in further dialogue.

If you want the last word, go ahead. Please do be careful to not to
assert or imply or infer the intentions or agreement or disagreement of
others, as that seems to me to be the main place where things have gone
wrong.


live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20231116/822d7b28/attachment.sig>

More information about the rb-general mailing list