> On Oct 30, 2023, at 7:04 AM, Orians, Jeremiah (DTMB)
> wrote:
> DDC only works if either a) you have a trusted compiler or b) 2 compilers
> that don't share a common
> compromise. Bootstrappable builds ensures we do have a trusted suite of
> compilers. So, unless you
> have proof of one of
> Wait, fetching those 357 seed bytes and the needed sources from Guix
> repository happens to
> imply some use of external binaries... probably sized at least several
> megabytes? Then what
> was the point with Guix being "first", compared to, as you say, Debian?
It is available in printed
> Readers of this list should have noticed that source-only verifiable
> bootstrap has been achieved earlier.
> The work presented in [1] provides a full proof of provenance of a verifiable
> Posix-like system with a
> development toolchain, without a reliance on any binary seed.
If your
Hi folks,
I want to share with you the latest Bomsh tool update on OmniBOR and
reproducible build, especially the below bomsh_rebuild_deb.py script:
https://github.com/omnibor/bomsh/blob/main/scripts/bomsh_rebuild_deb.py
Given the Debian .buildinfo file, this script is able to reproduce the
