limits to verifiability
Ludovic Courtès
ludo at gnu.org
Sun Nov 26 14:50:58 UTC 2023
Hello,
ahojlm at 0w.se skribis:
> The practicality of SSSBEA-CODRB means that the efforts aimed at
> *minimizing the starting binary seed* and at creation of an
> *inspectable-in-binary-form* seed like e.g. in GNU
> Mes[11]<sup>,</sup>[12] seem misdirected, such a seed is now known to be
> unnecessary for a full-integrity bootstrap.
>
> The use of a misnomer “full-source bootstrap” denoting the intention to
> treat the binary seed as if it were source[13] may regrettably have
> contributed to the disorientation of the development.
I agree that diverse-double compilation and what’s described here as
“self-sufficient source-to-binary equivalence assurance via consensus of
diverse reproducible builds” are valuable approaches to establishing
trust in binaries.
This approach is different from the one taken in Guix, live-bootstrap,
and Freedesktop-SDK (with Mes, stage0, and related projects making it
possible), but both have their merits.
I disagree that “full-source bootstrap” is a misnomer, let alone that it
“disoriented” development. For one thing, it has demonstrated its
“practicality” since it’s actually used today.
Now, only recently did I catch up on rb-general. What I’ve seen in
recent threads is a pattern of attacks, including repeated personal
attacks, that have little to do with the technical merits of this or
that approach. I wish moderators of this list would speak up and set
limits on what behavior is acceptable in Reproducible Builds fora.
Thanks in advance,
Ludo’.
More information about the rb-general
mailing list