Comment by lrvick

Comment by lrvick a day ago

5 replies

View on Hacker News

The normalized lack of care about supply chain integrity is going pretty poorly, as any read of recent headlines indicates.

Stagex has a 100% full source bootstrapping, and reproducibility requirement that at least two maintainers must prove and sign for every package.

Stagex is also very heavily used and relied on in high value financial and scientific applications where trusting a binary some internet rando compiled is not even remotely acceptable.

Haskell and Ada are locked out of any high security applications until they are bootstrappable.

tennysont 14 hours ago

I was under the impression that most supply chain attacks target source code, not binaries, especially for large projects like OpenBSD.

Does StageX audit source code to the same extend that OpenBSD does? If not, then how would you compare the downgrade in security due to less code auditing vs the reassurance of reproducible builds?

Or, how would you compare StageX with Gentoo, in which the entire system is installed from source. Sure, you have to trust your initial installer, but how could I get a StageX system setup without first having access to a computer with some software installed? If we're at the point where we're worried that every Haskell program that has ever been compiled is owned, then I wonder why I should trust any software that might install StageX onto my computer, or the underlying hardware for that matter?

Reply View 0 replies
gf000 a day ago

I'm not saying the status quo is good, but it is nontheless the status quo. Just about every machine on the cloud, mobile devices, etc all have non-source binaries somewhere, and besides some niche projects that actually have an assembly half-C compiler bootstrapping another tiny C compiler bootstrapping a real C compiler, this is not feasible for the vast software ecosystem as of today.

Reply View 3 replies
  • jeremyjh a day ago

    Most mainstream languages have a fairly straightforward bootstrapping process that doesn't rely on a trusted binary. And yes, most distrubutions ignore that, but nonetheless it is possible to use those languages in a high-sec environment if you put the work in.

    I'm not sure that I agree that GHC can't be bootstrapped though. There is a process for porting to other architectures; its not an automated process and perhaps no one outside the GHC team can actually do it, but if for some insane reason NSA decided they want to use Haskell I'm not sure that they actually can't, if they put a lot of work in and hire GHC committers with high security clearances.

    Reply View 1 reply
    • lrvick a day ago

      GHC absolutely could be bootstrapped, but someone versed in that ecosystem would have to put in a lot of work to do it.

      If they ever do, my team and I will put in the work to package and maintain it in stagex.

      Reply View 0 replies
  • lrvick a day ago

    Stagex can already support all of those use cases provided they are not written in Haskell or Ada, and in fact Stagex is already used heavily in production. We bootstrap everything deterministically from 180 bytes of human auditable x86 machine code.

    Rust, Go, Nodejs, we have you covered with complete full source bootstrapping and multi-party signed reproductions.

    There is no good excuse for poor supply chain integrity anymore.

    Reply View 0 replies