[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNU Mes 0.24 released
From: |
Sébastien Lerique |
Subject: |
Re: GNU Mes 0.24 released |
Date: |
Sun, 08 May 2022 22:55:41 +0900 |
Amazing indeed!
On 07 May 2022 at 16:11, Larry Doolittle <larry@doolittle.boa.org> wrote:
>> The common objection is: “you’re building from source but you’re not
>> gonna audit all that source code anyway, so why bother?” [...]
>> Supply chain security is a spectrum and I think this achievement changes
>> what we can expect and demand.
>
> I've had this conversation before, any my analogy is to the
> three legs of a stool. Bootstrapped toolchains, reproducible builds,
> and source-code audits. Each one is arguably useless without the others,
> but taken together, you've actually accomplished something meaningful.
> Maybe I should also include "cryptographically signed artifact distribution"
> on that list.
>
In a similar line, Bunnie Huang gave an interesting talk about the
hardware trust level a few years ago [0], which led to the Precursor
project [1,2].
Cheers,
Sébastien
[0]
https://media.ccc.de/v/36c3-10690-open_source_is_insufficient_to_solve_trust_problems_in_hardware
[1] https://www.crowdsupply.com/sutajio-kosagi/precursor
[2] https://www.bunniestudios.com/blog/?p=5979