Comment by lrvick 2 days ago
We cannot even include it in stagex because there is still literally no way to compile it from source and thus no way to do a real reproducible build, and there is no one left that cares about the language enough to do this.
Honestly it has to be regarded as a dead language until this is resolved.
I said it has to be treated as a dead language. I did not say it actually is one.
Being able to compile a compiler without binary blobs is a hard prerequisite to using that language for any application where security matters.
A language can have an active community and still be unsuitable for any real world use cases. Fortran is bootstrappable so I consider it more viable than haskell for real world use, even though it has far fewer fans (understandably).
Maybe it is more fair to call haskell an academic language or hobby language since it prioritized language design over basic supply chain security thus far.
If it becomes bootstrappable, then of course all the above critique is immediately retracted.
> If it becomes bootstrappable, then of course all the above critique is immediately retracted.
So basically you're saying you're just trying to get people to carry water for your project?
> because there is still literally no way to compile it from source
https://gitlab.haskell.org/ghc/ghc/-/wikis/building/#buildin...
I cannot comprehend how you can get to the conclusion that a compiler that was litterally made so that people could hack into it and learn from that has no build documentation.
My project has no need of Haskell, but if anyone puts in the work to make haskell compileable from only public source code my team and I will put in the work to reproduce, package, and maintain it for the community for free as we do most other languages.
Your link details building GHC with an existing non reproducible GHC compiler binary compiled by a single individual that must be blindly trusted.
Full source bootstrapping means no binary blobs or trust in anyone else needed, which makes supply chain integrity possible. This is a bare minimum for any language to be considered for production use in any environment where security matters.
To me it -is- crazy when a major language compiler skips something so basic, but Haskell did.
To be fair rust team skipped this too, but thankfully rust is popular enough that a community member cared enough about high security applications to write mrustc, a bootstrap rust compiler written in C++. If not for that Rust would be in the same boat as Haskell.
Meanwhile Go and Zig did it right, and have both provided full source bootstrapping instructions from a C compiler since day 1.
I dug into this and it turns out there's an active, multi year effort underway to solve exactly this, along the exact ways you´d expect, with references to guix and bootstrappable.org etc, making steady progress: https://discourse.haskell.org/t/what-s-needed-to-bootstrap-g...
Reading through that thread gives me a very different idea of the state of haskell than I got from reading your comments.
Efforts pop up every once in a while, usually with no results. As I said elsewhere, if they actually pull it off this time then my tone changes to one of willingness from my team and I to put in the work to use these efforts to support deterministic multi-signed builds in stagex.
It would make GHC (and pandoc) something we could have in tree which would be awesome. I am just annoyed it seems like such a low priority.
This entire thread, including your original comment, isn’t really about your efforts though. It was about Haskell.
As I said : I read your comments, formed an idea based on that, dug deeper to see for myself, and got a completely different picture.
Whether that is because of how you write or because of how I read I’ll leave for you to decide.
Interesting logic:
Declare something "dead" because it does not fulfill [extremely niche usecase that currently only few people care about] (boostrapped builds) and thus couldn't "even" be included in [project of the post author that takes a while to even find] (I eventually figured it must be referring to https://stagex.tools).
There are probably 100x more people interested in Haskell than in build-bootstrapping (the Haskell reddit alone has 16k weekly users).
What's next, calling JavaScript a dead language until it focuses on dependent typing?
(I think bootstrappable builds are a good thing to strive for, but that should not be confused with language usage or what people really care about.)