Comment by rowanG077
Comment by rowanG077 2 days ago
How is ghc compiled at all without bootstrapping? Or is there a magic binary in tree that is unreproducible? I have compiled ghc a few times and had no problems.
Comment by rowanG077 2 days ago
How is ghc compiled at all without bootstrapping? Or is there a magic binary in tree that is unreproducible? I have compiled ghc a few times and had no problems.
The normalized lack of care about supply chain integrity is going pretty poorly, as any read of recent headlines indicates.
Stagex has a 100% full source bootstrapping, and reproducibility requirement that at least two maintainers must prove and sign for every package.
Stagex is also very heavily used and relied on in high value financial and scientific applications where trusting a binary some internet rando compiled is not even remotely acceptable.
Haskell and Ada are locked out of any high security applications until they are bootstrappable.
I was under the impression that most supply chain attacks target source code, not binaries, especially for large projects like OpenBSD.
Does StageX audit source code to the same extend that OpenBSD does? If not, then how would you compare the downgrade in security due to less code auditing vs the reassurance of reproducible builds?
Or, how would you compare StageX with Gentoo, in which the entire system is installed from source. Sure, you have to trust your initial installer, but how could I get a StageX system setup without first having access to a computer with some software installed? If we're at the point where we're worried that every Haskell program that has ever been compiled is owned, then I wonder why I should trust any software that might install StageX onto my computer, or the underlying hardware for that matter?
I'm not saying the status quo is good, but it is nontheless the status quo. Just about every machine on the cloud, mobile devices, etc all have non-source binaries somewhere, and besides some niche projects that actually have an assembly half-C compiler bootstrapping another tiny C compiler bootstrapping a real C compiler, this is not feasible for the vast software ecosystem as of today.
Yes, and that is a serious security problem because the only way to get trusted PCR values for TPM2 gated secure boot and full disk decryption applications, is with open source full source bootstrapped firmware.
Coreboot is the only option, but it has a hard requirement on Ada because that is what they wrote their intel graphics stack in.
It is a real mess.
Quite literally all distros today build it by downloading an existing magic binary to compile the latest sources. Even if they claim the package is reproducible, all bets are off on trust if it downloads a prebuilt binary in the build process. It is a prime Trusting Trust attack target.
The only other somewhat widely used language I am aware of in this bad of a position is Ada. Every other language I am aware of has a clear bootstrap path.