| 21 Jun 2021 |
 siraben | In reply to @hexa:lossy.network
and trending YAY | 01:22:25 |
 chreekat | In reply to @grahamc:nixos.org
any suggested text on how to communicate this? A short history of the effort? | 01:24:33 |
 Xe (xe/they) | what compiler bundle does nixos use as the root of the reproducibility effort? | 01:29:59 |
 hexa | you mean what's in stdenv(.cc)? | 01:30:39 |
| hexa | ❯ nix-build -A stdenv.cc
/nix/store/gg2rq3hrl3rf92nq6dnqhdyyxaa89aqf-gcc-wrapper-10.3.0
| 01:31:07 |
| Xe (xe/they) | is that c compiler used to rebuild itself? | 01:34:24 |
 @grahamc:nixos.org | that is already a post-bootstrapping gcc | 01:35:12 |
| Xe (xe/they) | oh, what's the bootstrapping root then? | 01:35:38 |
| @grahamc:nixos.org | it is a fairly standard set of tools that are made sure they can be built reproducibly and then tar'd up | 01:36:41 |
| @grahamc:nixos.org | 1s | 01:36:41 |
| @grahamc:nixos.org | Xe: https://search.nix.gsc.io/?q=http%3A%2F%2Ftarballs.nixos.org%2Fstdenv&i=nope&files=&repos= | 01:38:17 |
|  ziguana joined the room. | 01:39:00 |
| Xe (xe/they) | and the ultimate root is some set of tools that eelco originally made nix with? | 01:39:34 |
| @grahamc:nixos.org | iirc they came from suse | 01:40:31 |
| @grahamc:nixos.org | ~forever ago | 01:40:59 |
| Xe (xe/they) | so i guess if somehow there's a "more verifiable" way to make the root bundle of compilers then using it would boil down to replacing the tarball in bootstrapTools? | 01:42:23 |
| @grahamc:nixos.org | sure | 01:42:44 |
| Xe (xe/they) | i see | 01:43:00 |
| @grahamc:nixos.org | for example we could go through the process to bootstrap across a bunch of machines of different makes and models and OS's and find all the ways they build differently, make them build the same, and then decide that is probably good | 01:43:36 |
| @grahamc:nixos.org | another thing is progressively reducing the number of mystery meat bytes, also good, also hard work | 01:44:15 |
| @grahamc:nixos.org | I think it is good to make progress on this bootstrap problem over time, but I think it has diminishing returns and moves in to the realm of "is it plausible none of the users would notice the compromise?", and "do we really trust this CPU?" | 01:47:31 |
| siraben | Issue on reducing bootstrapping: https://github.com/NixOS/nixpkgs/issues/123095 | 02:20:06 |
| siraben | Melg8 has had some progress on integrating the bootstrappable with Nixpkgs | 02:20:32 |
|  steve joined the room. | 05:38:37 |
 Reventlov | Redacted or Malformed Event | 07:41:25 |
| siraben | In reply to @hexa:lossy.network
his post is essentially dead it's back to third place | 07:55:37 |
| siraben | but i downvoted | 07:55:39 |
| siraben |
The website says reproducibility can reduce the risk of developers being threatened or bribed to backdoor their software, but that is just ridiculous. Developers have a perfect method for making their own software malicious: bugdoors. A bugdoor (bug + backdoor) is a deliberately introduced "vulnerability" that the vendor can "exploit" when they want backdoor access.
this seems to miss the point of reproducibility, IMO
| 07:58:03 |
| siraben | *
The website says reproducibility can reduce the risk of developers being threatened or bribed to backdoor their software, but that is just ridiculous. Developers have a perfect method for making their own software malicious: bugdoors. A bugdoor (bug + backdoor) is a deliberately introduced "vulnerability" that the vendor can "exploit" when they want backdoor access.
this seems to miss the point of reproducibility, IMO (I'm aware I'm preaching to the choir here though 😅)
| 07:59:14 |
 raboof | he wrote a blogpost about that a while back, too. I haven't re-read it, but it seems his point boils down to "X doesn't solve all problems of humanity, so it is useless" - which doesn't seem too helpful. | 08:00:16 |
