| 2 Dec 2022 |
 Rick (Mindavi) | It is possible, but there is no ready-to-use solution | 17:53:31 |
 cbwang | Thanks! I'm basically naively wondering if it is possible to build an ENTIRE minimum NixOS iso completely from source code of free software and with COMPLETELY no binaries (except stage0) involved at all. | 18:08:13 |
| cbwang | And, if the above procedure is possible, then the next goal would be make this process reproducible 😆 | 18:08:54 |
| cbwang | * And, if the above procedure is possible, then the next goal would be making this process reproducible 😆 | 18:09:24 |
| Rick (Mindavi) | Technically it should be, yeah | 18:10:42 |
| Rick (Mindavi) | But by default the bootstrap binaries are used | 18:10:54 |
| Rick (Mindavi) | And your host kernel | 18:10:59 |
| cbwang | In reply to @rick:matrix.ciphernetics.nl
And your host kernel But if this process can be reproducible no matter what host OS is, no matter what CPU is, then the host kernel is not required to be trusted | 18:12:42 |
| Rick (Mindavi) | Ah yes | 18:12:57 |
| Rick (Mindavi) | True :) | 18:12:59 |
| Rick (Mindavi) | I always wonder where one would start... | 18:14:26 |
| cbwang | Besides, if we really can achieve that, then we are going to have the first host OS that all the binaries are free | 18:14:22 |
| cbwang | In reply to @rick:matrix.ciphernetics.nl
I always wonder where one would start... A 256-byte assembler "hex0" from https://github.com/oriansj/bootstrap-seeds | 18:15:41 |
| cbwang | * A 256-byte assembler "hex0" from https://github.com/oriansj/bootstrap-seeds/blob/master/POSIX/x86/hex0-seed | 18:16:23 |
| Rick (Mindavi) | I mean | 18:16:45 |
| Rick (Mindavi) | Do you burn that on a usb stick and boot from it? | 18:16:56 |
| Rick (Mindavi) | 🧐 | 18:17:01 |
| Rick (Mindavi) | Or do you start with a host os and a statically linked nix or so? | 18:17:35 |
| cbwang | In reply to @rick:matrix.ciphernetics.nl
Do you burn that on a usb stick and boot from it? I would prefer to burn it on a DVD | 18:17:45 |
| Rick (Mindavi) | Or whatever nix | 18:17:50 |
| cbwang | In reply to @rick:matrix.ciphernetics.nl
Or do you start with a host os and a statically linked nix or so? Start with a nix that is built from a gcc bootstrapped from stage0 | 18:18:38 |
| Rick (Mindavi) | And that you can build on whatever host I guess? | 18:20:23 |
| cbwang | Yeah, and the nix binary should be reproducible on any x86 compatible hardware. | 18:21:00 |
| Rick (Mindavi) | Yeah, at least x86_64 | 18:21:27 |
| cbwang | In reply to @cbwang:matrix.org
Thanks! I'm basically naively wondering if it is possible to build an ENTIRE minimum NixOS iso completely from source code of free software and with COMPLETELY no binaries (except stage0) involved at all. I guess some people would love this. The cryptocurrency community for example, they treated security extremely seriously. The Solarwinds and XcodeGhost attack had demonstrated what a supply chain attack is capable of. | 18:29:17 |
| cbwang | Perhaps some day, some one would publish this: he compiled an entire NixOS from source code, except the 256-bytes stage0 is binary. Then he publishes his (gpg-signed) entire chain of trust, how he bootstrapped stage0 -> stage1 -> gcc -> nix -> ... NixOS iso, and telling the world that anyone can reproducible this chain of trust. | 18:33:52 |
| cbwang | * Perhaps some day, some one would publish this: he compiled an entire NixOS from source code, except the 256-bytes stage0 is binary. Then he publishes his (gpg-signed) entire chain of trust, how he bootstrapped stage0 -> stage1 -> gcc -> nix -> ... NixOS iso, and telling the world that anyone can reproduce this chain of trust. | 18:40:42 |
 Foxboron | In reply to @cbwang:matrix.org
Besides, if we really can achieve that, then we are going to have the first host OS that all the binaries are free Guix is already doing this fwiw | 18:50:28 |
| Foxboron | They started https://bootstrappable.org/ as a subproject under reproducible builds a few years ago. They have also been working hard on reducing the compiler stages beyond the seed binary with work on GNU mes C | 18:51:51 |
| cbwang | In reply to @foxboron:archlinux.org
Guix is already doing this fwiw However from https://data.guix.gnu.org/repository/1/branch/master/latest-processed-revision/package-reproducibility it seems that more than 10% of Guix packages are not reproducible | 18:54:03 |
