gnu-misc-discuss
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Risks of deterministic builds


From: Jean Louis
Subject: Re: Risks of deterministic builds
Date: Thu, 8 Apr 2021 20:59:01 +0300
User-agent: Mutt/2.0.6 (2021-03-06)

* Jan Nieuwenhuizen <janneke@gnu.org> [2021-04-08 16:43]:
> Martin writes:
> 
> > Maybe freedom in "free software" shouldn't require from the code to be
> > open neither. Let's just blindly trust some saint developers who
> > cannot even control their own binaries. Actually today we are closer
> > and closer to that sad scenario like never before in the history,
> > because in fact most of the open-source and GNU "free software"
> > nowadays base on blackboxed binary seeds that cannot be verified by
> > the users not even by the core developers.
> 
> The bootstrappable project, GNU Mes and GNU Guix are working to fix that
> 
>     
> https://guix.gnu.org/en/blog/2020/guix-further-reduces-bootstrap-seed-to-25/
>     https://fosdem.org/2021/schedule/event/gnumes/

Janneke, that is probably most important step for GNU and free
software in general. Once it becomes public enough and awareness is
raised, many distributions will be nullified in terms of being fully
free.

I guess that Free System Distribution Guideliness will also need to be
update when Guix gets its full bootstrap from source, so that every OS
has to be bootstrapped from GNU Guix. Guix will become primary root
distribution for every other distribution or otherwise they are not
trusted.

It does not mean that distributions are "secure" just because
bootstrapping process exists, there is so much more work around
that. It is very simple even to replicate the bootstrapping process
and provide source from one malicious source, that is enough to
corrupt the whole process for common users.

However -- this does not exclude malicious codein various compilers,
we still do not know if something is injected in a smart way. We still
have to trust it. This is just one step forward to full inspection of
the software. NSA, according to stories, has already ask Torvalds to
inject backdoors. I don't think they will simply give up with their
intentions. 

I have read it, and researching, but yet do not get how to start. I
have downloaded stage0, is that the place to start?

Jean



reply via email to

[Prev in Thread] Current Thread [Next in Thread]