Larry Doolittle <la...@doolittle.boa.org> writes:
> Ludovic and friends - > > On Sun, May 08, 2022 at 12:34:47AM +0200, Ludovic Courtès wrote: >> Jan Nieuwenhuizen <jann...@gnu.org> skribis: >> > Mes has now been ported to M2-Planet and can be bootstrapped using >> > stage0-posix[0], starting from the 357-byte hex0 binary of the >> > bootstrap-seeds[1], as was promised at FOSDEM'21[2]. >> This is amazing… congrats to you & everyone involved! You made it! :-) > > +1 > >> The common objection is: “you’re building from source but you’re not >> gonna audit all that source code anyway, so why bother?” [...] >> Supply chain security is a spectrum and I think this achievement changes >> what we can expect and demand. > > I've had this conversation before, any my analogy is to the > three legs of a stool. Bootstrapped toolchains, reproducible builds, > and source-code audits. Each one is arguably useless without the others, > but taken together, you've actually accomplished something meaningful. > Maybe I should also include "cryptographically signed artifact distribution" > on that list. > > - Larry With works this sturdy then even two tool domains suffice as a fine and versatile stepladder... Great job everybody! - Jonathan