| 21 Jun 2021 |
 @grahamc:nixos.org | if I'd known we'd see such response to hitting 100% I'd have thought more carefully about the text at the bottom, and how to refer to the rest of the ecosystem and the fact that we're benefiting a lot from the ecosystem | 01:17:37 |
| @grahamc:nixos.org | any suggested text on how to communicate this? | 01:20:24 |
 siraben (he/him) | In reply to @hexa:lossy.network
and trending YAY | 01:22:25 |
 chreekat | In reply to @grahamc:nixos.org
any suggested text on how to communicate this? A short history of the effort? | 01:24:33 |
 Xe (xe/they) | what compiler bundle does nixos use as the root of the reproducibility effort? | 01:29:59 |
 hexa | you mean what's in stdenv(.cc)? | 01:30:39 |
| hexa | ❯ nix-build -A stdenv.cc
/nix/store/gg2rq3hrl3rf92nq6dnqhdyyxaa89aqf-gcc-wrapper-10.3.0
| 01:31:07 |
| Xe (xe/they) | is that c compiler used to rebuild itself? | 01:34:24 |
| @grahamc:nixos.org | that is already a post-bootstrapping gcc | 01:35:12 |
| Xe (xe/they) | oh, what's the bootstrapping root then? | 01:35:38 |
| @grahamc:nixos.org | it is a fairly standard set of tools that are made sure they can be built reproducibly and then tar'd up | 01:36:41 |
| @grahamc:nixos.org | 1s | 01:36:41 |
| @grahamc:nixos.org | Xe: https://search.nix.gsc.io/?q=http%3A%2F%2Ftarballs.nixos.org%2Fstdenv&i=nope&files=&repos= | 01:38:17 |
|  ziguana joined the room. | 01:39:00 |
| Xe (xe/they) | and the ultimate root is some set of tools that eelco originally made nix with? | 01:39:34 |
| @grahamc:nixos.org | iirc they came from suse | 01:40:31 |
| @grahamc:nixos.org | ~forever ago | 01:40:59 |
| Xe (xe/they) | so i guess if somehow there's a "more verifiable" way to make the root bundle of compilers then using it would boil down to replacing the tarball in bootstrapTools? | 01:42:23 |
| @grahamc:nixos.org | sure | 01:42:44 |
| Xe (xe/they) | i see | 01:43:00 |
| @grahamc:nixos.org | for example we could go through the process to bootstrap across a bunch of machines of different makes and models and OS's and find all the ways they build differently, make them build the same, and then decide that is probably good | 01:43:36 |
| @grahamc:nixos.org | another thing is progressively reducing the number of mystery meat bytes, also good, also hard work | 01:44:15 |
| @grahamc:nixos.org | I think it is good to make progress on this bootstrap problem over time, but I think it has diminishing returns and moves in to the realm of "is it plausible none of the users would notice the compromise?", and "do we really trust this CPU?" | 01:47:31 |
| siraben (he/him) | Issue on reducing bootstrapping: https://github.com/NixOS/nixpkgs/issues/123095 | 02:20:06 |
| siraben (he/him) | Melg8 has had some progress on integrating the bootstrappable with Nixpkgs | 02:20:32 |
|  steve joined the room. | 05:38:37 |
 Reventlov | Redacted or Malformed Event | 07:41:25 |
| siraben (he/him) | In reply to @hexa:lossy.network
his post is essentially dead it's back to third place | 07:55:37 |
| siraben (he/him) | but i downvoted | 07:55:39 |
| siraben (he/him) |
The website says reproducibility can reduce the risk of developers being threatened or bribed to backdoor their software, but that is just ridiculous. Developers have a perfect method for making their own software malicious: bugdoors. A bugdoor (bug + backdoor) is a deliberately introduced "vulnerability" that the vendor can "exploit" when they want backdoor access.
this seems to miss the point of reproducibility, IMO
| 07:58:03 |
