Blog post about a talk by Ken Thompson and the original Trusting Trust attack finally released

[ahojlm at 0w.se]

Dear Marcel,

On Sat, Oct 28, 2023 at 05:04:06PM +0200, Marcel Fourné wrote:
> On Thu, 2023-10-26, at 12:14:30 +0200, Janneke Nieuwenhuizen wrote:
> > https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/

> Thank you for your amazing work though! If it'd been me, I'd have linked to both (and will probably do in my dissertation).

Citing the Guix blog at the url above:
"[...] something that had never been achieved, to our knowledge, since the
birth of Unix.
We refer to this as the Full-Source Bootstrap"

Readers of this list should have noticed that source-only verifiable
bootstrap has been achieved earlier. The work presented in [1]
provides a full proof of provenance of a verifiable Posix-like system
with a development toolchain, without a reliance on any binary seed.

I hope that if you choose to mention the Guix blog post, then
you would also refer to the prior solution [1].

To be fair, building any GNU/Linux distribution is a great amount of work
and Guix developers should be credited for _that_.

On the other side, presenting bootstrapping from machine codes as the
only and also as the "first" solution to full verifiability is plainly
not correct.

Best regards,
 an

[1]
 https://lists.reproducible-builds.org/pipermail/rb-general/2023-March/002900.html
 http://rbzfp7h25zcnmxu4wnxhespe64addpopah5ckfpdfyy4qetpziitp5qd.onion
also
 https://ipfs.io/ipfs/QmRsX3KvccWNL1tWmSdtBZYZHAYyt2PSdY1iHquEk2yYtS?filename=vsobfs20230308.tar.gz

> --
> Marcel FOURNÉ
> 
> Please note that I honour and respect boundaries around personal
> time, well-being, care-taking and the rest.
> Should you receive correspondence from me during a time that you're
> engaging in any of the above, please protect your time and wait to
> respond until you're next working or in front of a PC.
> Prioritize joy and not e-mail when and where you can.

+1