[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Risks of deterministic builds

From: Jan Nieuwenhuizen
Subject: Re: Risks of deterministic builds
Date: Thu, 08 Apr 2021 22:40:04 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

Jean Louis writes:

> * Jan Nieuwenhuizen <> [2021-04-08 16:43]:
>> Martin writes:
>> > Maybe freedom in "free software" shouldn't require from the code to be
>> > open neither. Let's just blindly trust some saint developers who
>> > cannot even control their own binaries. Actually today we are closer
>> > and closer to that sad scenario like never before in the history,
>> > because in fact most of the open-source and GNU "free software"
>> > nowadays base on blackboxed binary seeds that cannot be verified by
>> > the users not even by the core developers.
>> The bootstrappable project, GNU Mes and GNU Guix are working to fix that
> Janneke, that is probably most important step for GNU and free
> software in general.

Thanks, we believe so too.

> I have read it, and researching, but yet do not get how to start. I
> have downloaded stage0, is that the place to start?

It's currently not very easy to do this all by hand.  Easiest to see
what's happening would be to use Guix: the bootstrap is fully "scripted"
there by packages and their dependencies.  If you look at:

you can see it all starts with 'bootstrap-seeds'.  You can "build" that
package (the seeds are just a download, of course) by (checking out
the guix wip-full-source-bootstrap branch, building it) and, doing

    $ ./pre-inst-env guix build -e '(@@ (gnu packages commencement) 

and you'll see the 357-byte hex0-seed in there.  This is used to build
the 'm2-planet-boot' package which uses kaem scripts (any shell will
do) to build hex0, hex1, M0, M1, hex2 and m2-planet:

    $ ./pre-inst-env guix build -e '(@@ (gnu packages commencement) 

then onto mes-boot

    $ ./pre-inst-env guix build -e '(@@ (gnu packages commencement) mes-boot)'

and so on.  In fact, each time you build or install a package using
Guix, these (bootstrap) dependencies are resolved and -if necessary- all
built automagically.

The first working version of 'wip-full-source-bootstrap' triggered the
'live-bootstrap' effort:

aiming to script/redo (change, improve, ...) this bootstrap outside
of/without Guix.


Jan Nieuwenhuizen <> | GNU LilyPond
Freelance IT | AvatarĀ®

reply via email to

[Prev in Thread] Current Thread [Next in Thread]