| 1 Dec 2022 |
|  hexa changed their display name from hexa to hexa (22.11 now). | 13:09:03 |
| hexa changed their display name from hexa (22.11 now) to hexa. | 14:38:55 |
| 2 Dec 2022 |
|  cbwang joined the room. | 01:51:10 |
|  srid changed their profile picture. | 02:19:44 |
| cbwang | Hi all, is it possible for nixos to build gcc through https://github.com/oriansj/stage0-posix in order to mitigate the Ken Thompson hack? | 17:48:27 |
 Rick (Mindavi) | It is possible, but there is no ready-to-use solution | 17:53:31 |
| cbwang | Thanks! I'm basically naively wondering if it is possible to build an ENTIRE minimum NixOS iso completely from source code of free software and with COMPLETELY no binaries (except stage0) involved at all. | 18:08:13 |
| cbwang | And, if the above procedure is possible, then the next goal would be make this process reproducible 😆 | 18:08:54 |
| cbwang | * And, if the above procedure is possible, then the next goal would be making this process reproducible 😆 | 18:09:24 |
| Rick (Mindavi) | Technically it should be, yeah | 18:10:42 |
| Rick (Mindavi) | But by default the bootstrap binaries are used | 18:10:54 |
| Rick (Mindavi) | And your host kernel | 18:10:59 |
| cbwang | In reply to @rick:matrix.ciphernetics.nl
And your host kernel But if this process can be reproducible no matter what host OS is, no matter what CPU is, then the host kernel is not required to be trusted | 18:12:42 |
| Rick (Mindavi) | Ah yes | 18:12:57 |
| Rick (Mindavi) | True :) | 18:12:59 |
| Rick (Mindavi) | I always wonder where one would start... | 18:14:26 |
| cbwang | Besides, if we really can achieve that, then we are going to have the first host OS that all the binaries are free | 18:14:22 |
| cbwang | In reply to @rick:matrix.ciphernetics.nl
I always wonder where one would start... A 256-byte assembler "hex0" from https://github.com/oriansj/bootstrap-seeds | 18:15:41 |
| cbwang | * A 256-byte assembler "hex0" from https://github.com/oriansj/bootstrap-seeds/blob/master/POSIX/x86/hex0-seed | 18:16:23 |
| Rick (Mindavi) | I mean | 18:16:45 |
| Rick (Mindavi) | Do you burn that on a usb stick and boot from it? | 18:16:56 |
| Rick (Mindavi) | 🧐 | 18:17:01 |
| Rick (Mindavi) | Or do you start with a host os and a statically linked nix or so? | 18:17:35 |
| cbwang | In reply to @rick:matrix.ciphernetics.nl
Do you burn that on a usb stick and boot from it? I would prefer to burn it on a DVD | 18:17:45 |
| Rick (Mindavi) | Or whatever nix | 18:17:50 |
| cbwang | In reply to @rick:matrix.ciphernetics.nl
Or do you start with a host os and a statically linked nix or so? Start with a nix that is built from a gcc bootstrapped from stage0 | 18:18:38 |
| Rick (Mindavi) | And that you can build on whatever host I guess? | 18:20:23 |
| cbwang | Yeah, and the nix binary should be reproducible on any x86 compatible hardware. | 18:21:00 |
| Rick (Mindavi) | Yeah, at least x86_64 | 18:21:27 |
| cbwang | In reply to @cbwang:matrix.org
Thanks! I'm basically naively wondering if it is possible to build an ENTIRE minimum NixOS iso completely from source code of free software and with COMPLETELY no binaries (except stage0) involved at all. I guess some people would love this. The cryptocurrency community for example, they treated security extremely seriously. The Solarwinds and XcodeGhost attack had demonstrated what a supply chain attack is capable of. | 18:29:17 |
