Gave a talk at #FOSSY yesterday about #ReproducibleBuilds and #BootstrappableBuilds and how close we are to actually counter the infamous #TrustingTrust attack.

The slides are packaged as a Debian package, including a signed .buildinfo file, so you should be able to recreate my slides bit-for-bit identically!

https://www.aikidev.net/~vagrant/talks/2023/fossy/

However, my actual talk included a fair amount of non-determinism, thanks for all the great questions!

https://2023.fossy.us/schedule/presentation/118/

Videos should be available soon!

Spent part of my #RechageDay at #AMD looking at bootstrapping #TinyCC 0.9.26 from #GNUMes on #x86_64 architecture. And thanks to #Mes mantainer @janneke for his help debugging various issues. We can now build initial #tcc binary and it can even run some simple commands such as --help or -vv.

Unfortunately, we still hit some critical bugs when trying to use this tcc binary to rebuild itself but hopefully we are not far now.

#bootstrappable
#BootstrappableBuilds
#ReproducibleBuilds

Talk at IEEE S&P 2023 "Oakland" by Marcel Fourné "It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security"

https://www.youtube.com/watch?v=H0A2cSejlZ4

#bootstrappable
#BootstrappableBuilds
#ReproducibleBuilds
@reproducible_builds

I will be presenting about #ReproducibleBuilds at #FOSSY this year:

Breaking the Chains of Trusting Trust: Reproducible Builds and More!

https://2023.fossy.us/schedule/presentation/118/

@reproducible_builds

#SupplyChain #BootstrappableBuilds

I've just merged PR that implements kernel bootstrap for live-bootstrap: https://github.com/fosslinux/live-bootstrap/pull/295
Big thanks to all the people who contributed to this!

We can start with a small x86 binary that has about 200 bytes of code (but has to be padded to 512 bytes to add MBR signature) and bootstraps both kernel (builder-hex0->Fiwix->Linux) and userspace all the way from hex0 to GCC 13.

#BootstrappableBuilds
#ReproducibleBuilds
@reproducible_builds #bootstrappable

@tahnu We'll soon have more achievements! #BootstrappableBuilds community will soon have kernel bootstrapping working on x86, starting from ~200 byte seed kernel (though there will be a bit more #hex0 code that we'll have to build but still within a few KiB). Though I don't expect that to be integrated into #guix anytime soon or maybe ever... I suspect #guix will be limited to userspace bootstrapping.

@janneke and I were trying to fix 64-bit (#amd64 for now) #mes bootstrap. After applying some fixes to M2-Planet and #mes we were able to bootstrap mes-m2 binary from #hex0. And it's working well enough to rebuild itself with #mescc.

This is expected to be in the next releases of mes 0.25 and M2-Planet 0.11.

#BootstrappableBuilds #stage0

If you run "guix pull" today, you get a package graph of more than 22,000 nodes rooted in a 357-byte program---something that had never been achieved, to our knowledge, since the birth of Unix: a Full-Source Bootstrap.

#GnuMes
#bootstrappable
#BootstrappableBuilds
#ReproducibleBuilds
@fsf
@fsfe

@benjaminhollon @jbowen @revk software bootstrap is already done and scripted: https://github.com/fosslinux/live-bootstrap/blob/master/parts.rst
On x86 we can bootstrap from a tiny binary seed.
Of course there are questions of how would you get source code onto your disk or ram without another system... But theoretically if you have machine with front panel RAM switches, bootstrap is a solved problem.

#bootstrappableBuilds

#GNU Mes 0.24.2 released: Fixing a long standing stat64 and friends bug for 32-bit systems https://debbugs.gnu.org/41264.

https://lists.gnu.org/archive/html/info-gnu/2023-02/msg00004.html

The soon-to-be-merged #Guix core-updates branch now also uses this fix.

#GnuMes
#bootstrappable
#BootstrappableBuilds
#ReproducibleBuilds
@fsf@status.fsf.org
@fsfe

Most #flatpaks will soon be buildable from sub 1 KiB binary seed:

See blog post for more details:

https://stikonas.eu/wordpress/2023/01/31/building-flatpaks-and-freedesktop-sdk-from-scratch/

#flatpak #freedesktop-sdk #BootstrappableBuilds #reproduciblebuilds

@fdroidorg #ReproducibleBuilds are good but you should consider #BootstrappableBuilds that are even better.

#Python 3.11 has just been added to https://github.com/fosslinux/live-bootstrap/. All built from 256 byte hex0 seed. Perhaps we can soon use it as a seed for #Gentoo.

#bootstrappable #bootstrappablebuilds

Figured out what was wrong with my implementation of Emmanuel Bourg's #kotlin #bootstrap chain (https://github.com/ebourg/kotlin-bootstrapping), so now I managed to mirror the same chain, but *completely bootstrapped* (all prebuilt jars are removed from sources).

So I have a kotlin from June 2015: https://framagit.org/tyreunom/guix-android/-/blob/master/android/packages/kotlin.scm#L919

still a long way to go :D

#guix #bootstrappablebuilds

@debbryant

One of the most exciting real-world applications of #ReproducibleBuilds and #BootstrappableBuilds is securing against #TrustingTrust attacks, known since the 1970s but little has been done to address it. Such attacks are very difficult to pull off, but are devastating if successful.

We successfully built bit-for-bit identical #Mes compiler on several distributions, part of the toolchain used to bootstrap #Guix which is a complete #FreeSoftware distribution.

https://reproducible-builds.org/news/2019/12/21/reproducible-bootstrap-of-mes-c-compiler/

@reproducible_builds

Monthly #reproduciblebuilds report:

https://reproducible-builds.org/reports/2021-07/

It's great to see more discussion of #reproduciblebuilds and #bootstrappablebuilds related to #supplychain vulnerabilites.

Really excited to see the work on reproducible live images for #debian .

Always nice to see developments in other #foss projects #ArchLinux #OpenSUSE #alpine #mirageos #openwrt as we are all in this together.

Personally, I had a good month submitting a few patches!