* "Bernhard M. Wiedemann via rb-general"
[2022-12-14 20:30]:
> a colleague of mine is rather skeptic towards bootstrapping and
> reproducible-builds.
> [...]
> In the end, it would be useful to collect some well-worded / well-thought
> counter-arguments on r-b.o (if we don't have that already)
>
I suggest writing a longer paper on "why reproducible builds" and posting it on
the r-b website.
Here are few quick points from me that might be helpful.
In general, we should focus on risk.. but not just current risk, but future
risk.
It's absolutely *true* that unintentional vulnerabilities
On 18/12/2022 02.09, Martin via rb-general wrote:
Controlling hardware is essential
https://www.bunniestudios.com/blog/?p=5706
Covers the topic of why open-source hardware is not enough to build
trustable devices.
TLDR: there are ways to subvert silicon that cannot be detected, even
> That's really awesome work like many other out there
> https://codeberg.org/StefanK/MinimalBinaryBoot . I hope it won't end
> up as yet another failed project that stuck somewhere in the middle of
> the road.
That really isn't our style, we produce results. Even if it means years
of work.
> But
December 18, 2022 at 4:20 PM, jerem...@pdp10.guru wrote:
>
> >
> > (i.e. to bootstrap linux from hex0 in practice you need to run it on
> > linux anyway https://github.com/fosslinux/live-bootstrap ).
> >
>
> Oh then you missed our latest work:
> https://github.com/ironmeld/builder-hex0.git
>
Martin via rb-general wrote on Sun, Dec 18, 2022 at 01:09:37 +:
> In my opinion the biggest problem is that we are not able to audit and
> verify any hardware implementation for this work so it cannot be
> trusted at all. Controlling hardware is essential and it cannot be
> replaced by
> (i.e. to bootstrap linux from hex0 in practice you need to run it on
> linux anyway https://github.com/fosslinux/live-bootstrap ).
Oh then you missed our latest work:
https://github.com/ironmeld/builder-hex0.git
We wrote a POSIX kernel in under 4KB of hex0 that we can bootstrap with
a single
December 14, 2022 at 10:52 PM, "Vagrant Cascadian"
wrote:
> And yes, you eventually get down to how do you trust hardware... there
> are a lot of rabbit holes here, and at the end of the day, you need to
> prioritize what is the next important thing is, or what gets you the
> most value in the
Hello all
Yes that is true what Tristan wrote.
By myself I have introduced reproducible build approaches for controlling software in plants, because I want to know whether the old given sources (from archive) firstly produces the same code which was delivered on plant in the past, before (!) I do
Hello Bernhard,
Due to my propensity to writing overly long and detailed emails, I have
refrained until now from ever posting to this list, I'll try to be
brief :)
Some background, I am an author and maintainer of the BuildStream
project: https://buildstream.build/
Which is an integration
On 12/14/22 11:30 AM, Bernhard M. Wiedemann via rb-general wrote:
He also once pointed me to
https://blog.cmpxchg8b.com/2020/07/you-dont-need-reproducible-builds.html
By the way, I think this person's argument falls apart here:
"The only way to verify that the untrusted binary is
On Wed, Dec 14, 2022 at 11:00:49PM +, jerem...@pdp10.guru wrote:
> But for the people who do choose to trust binaries, reproducible builds
> is the only option you have to check if the source and the binaries
> correspond.
Yes, and in addition reproducible builds are also a way for people
> We already fully trust the sources they release, and we already fully
> trust their binary compiler releases.
Well that assumption is 100% wrong.
Trusting source code is the wrong place to place trust.
And trusting binaries is just a bad idea in general.
But for the people who do choose to
On 12/14/22 11:30 AM, Bernhard M. Wiedemann via rb-general wrote:
He also once pointed me to
https://blog.cmpxchg8b.com/2020/07/you-dont-need-reproducible-builds.html
I also wonder how all this verification is going to work.
For example, I'll soon be providing reproducible builds of OpenJDK.
On 2022-12-14, Bernhard M. Wiedemann via rb-general wrote:
> a colleague of mine is rather skeptic towards bootstrapping and
> reproducible-builds.
>
> E.g. he wrote
>
> https://fy.blackhats.net.au/blog/html/2021/05/12/compiler_bootstrapping_can_we_trust_rust.html
This seems to miss the point
Hi,
a colleague of mine is rather skeptic towards bootstrapping and
reproducible-builds.
E.g. he wrote
https://fy.blackhats.net.au/blog/html/2021/05/12/compiler_bootstrapping_can_we_trust_rust.html
and the effect can also be seen in his packaging such as
16 matches
Mail list logo
