Hi,
I just want to add some perspective from the bootstrapping.
On 2024-04-04 21:48, Attila Lendvai wrote:
all in all, just by following my gut insctincts, i was advodating for building
everything from git even before the exposure of this backdoor. in fact, i found
it surprising as a guix newbie that not everything is built from git (or their
VCS of choice).
That has happened to me too.
Why not use Git directly always?
In the bootstrapping it's also a problem, as all those tools (autotools)
must be bootstrapped, and they require other programs (compilers) that
actually use them. And we'll be forced to use git, too, or at least
clone the bootstrapping repos, git-archive them ourselves and host them
properly signed. At least, we could challenge them using git (similar to
what we do with the substitutes), which we cannot do right now with the
release tarballs against the actual code of the repository.
In live-bootstrap they just write the build scripts by hand, and ignore
whatever the ./configure script says. That's also a reasonable way to
tackle the bootstrapping, but it's a hard one. Thankfully, we are
working together in this Bootstrapping effort so we can learn from them
and adapt their recipes to our Guix commencement.scm module. This would
be some effort, but it's actually doable.
Hope this adds something useful to the discussion,
Ekaitz