18+ rsc, 2 months ago

@timbray Deep but also shallow? I mean, xz-utils was built from source and reproducible too. Reproducibility makes auditing the source meaningful, not unnecessary.

timbray, 2 months ago

@rsc Feels like useful work even though I don't see what the endgame is.

As for xz, I thought it was significant that they shipped tarballs containing autotools output. Stopping that would be a win I think?

rsc, 2 months ago

@timbray Less autotools is always a win, of course, but it's unclear how much of a win. The obfuscation was somewhat over the top, all things considered, given that if someone is reading closely, they've probably lost at that point anyway. Also I think they could have checked the build-to-host.m4 script into the repo and run the same attack.

timbray, 2 months ago

@rsc Heh, at this point I'd settle for “less autotools” as a first step. I’m generally pessimistic, in that I think deterministic/reproducible building has been well-proved to be a very hard problem. But I still think chipping away at the coalface is worth doing.

cdamian, 2 months ago

@timbray
My worry is that this leads to "let's just ship container images", which will make things worse in my view.
Or we just lose support for a lot of operating systems and architectures.
Autotools is awful, but they do solve a problem.
@rsc

jhulten, 2 months ago

@timbray @rsc

Eventually you have to trust something if not at least the folks that made the rock do math. How are they bootstrapping their compilers? What about basic tools like ls? The kernel? Drivers? UEFI?

timbray, 2 months ago

@jhulten @rsc Oh, sure; perfection will never be achieved. But successively decreasing the build attack surface remains a win.

18+ glitzersachen, 2 months ago

@timbray That is so cool.

18+ virtuous_sloth, 2 months ago

@timbray Not unrelated but weirdly deep in its own way: https://justine.lol/ape.html