June 23rd, 2024

Is Guix full-source bootstrap a lie?

The article discusses Guix's transparent and secure full-source bootstrap process, enabling users to verify over 22,000 nodes like Python PyTorch with 1150 dependencies. It emphasizes verifying each step to prevent backdoors or fraud.

Read original articleLink Icon
Is Guix full-source bootstrap a lie?

The article discusses the Guix full-source bootstrap process, emphasizing transparency and security in software supply chains. Guix enables users to inspect and verify the building process of over 22,000 nodes in a package graph, such as Python PyTorch with its 1150 dependencies. The article delves into the recursive nature of the chicken-or-the-egg problem in computing, highlighting the importance of verifying each step in the software build chain to prevent potential backdoors or fraud. Guix's approach involves starting from minimal bootstrap-seeds, building up through various dependencies, and ensuring transparency in the entire process. The Guix community's efforts and tools like bootar, guile-bootstrap, and stage0-posix are instrumental in this complex yet meticulous process. The article showcases how Guix allows users to audit, inspect, and verify each component in the software supply chain, promoting trust and reproducibility in software builds.

Related

Let's write a video game from scratch like it's 1987

Let's write a video game from scratch like it's 1987

Philippe Gaultier created Minesweeper in 1987 using X11 without libraries, resulting in a compact executable. The article explores X authentication, Odin language usage, and minimalistic GUI development, offering insights into X11 intricacies. Source code is on GitHub.

Eight million pixels and counting: improving texture atlas allocation in Firefox (2021)

Eight million pixels and counting: improving texture atlas allocation in Firefox (2021)

Improving texture atlas allocation in WebRender with the guillotiere crate reduces texture memory usage. The guillotine algorithm was replaced due to fragmentation issues, leading to a more efficient allocator. Visualizing the atlas in SVG aids debugging. Rust's simplicity and Cargo fuzz testing are praised for code development and robustness. Enhancements in draw call batching and texture upload aim to boost performance on low-end Intel GPUs by optimizing texture atlases.

Exposition of Front End Build Systems

Exposition of Front End Build Systems

Frontend build systems are crucial in web development, involving transpilation, bundling, and minification steps. Tools like Babel and Webpack optimize code for performance and developer experience. Various bundlers like Webpack, Rollup, Parcel, esbuild, and Turbopack are compared for features and performance.

Avoiding Emacs Bankruptcy

Avoiding Emacs Bankruptcy

Avoid "Emacs bankruptcy" by choosing efficient packages, deleting unnecessary configurations, and focusing on Emacs's core benefits. Prioritize power-to-weight ratio to prevent slowdowns and maintenance issues. Regularly reassess for a streamlined setup.

Software Engineering Practices (2022)

Software Engineering Practices (2022)

Gergely Orosz sparked a Twitter discussion on software engineering practices. Simon Willison elaborated on key practices in a blog post, emphasizing documentation, test data creation, database migrations, templates, code formatting, environment setup automation, and preview environments. Willison highlights the productivity and quality benefits of investing in these practices and recommends tools like Docker, Gitpod, and Codespaces for implementation.

Link Icon 2 comments
By @yjftsjthsd-h - 5 months
First, feels a little clickbaity to have that title when the first line is

> No, it is not a lie!

But at least it's the first line... though of course that's after you've clicked, so I'd still say clickbait.

Anyways.

I wonder how hard it is to independently run this bootstrap without having guix in the first place? If I really wanted to prove that all of this was clean, I think I'd need to start from something else - maybe go write a tiny emulator on a commodore 64 that's just enough to run the bootstrap seed and write it to... maybe there's an adapter that would let a C64 write to an SD card, so you can plug that into an x86 machine to bootstrap from there? Because to avoid Trusting Trust, you'd have to start with a totally blank disk, right? I mean, I'm pretending the C64 is 100% perfectly trustworthy but I guess in theory you should be doing a nand2tetris type deal and building a machine out of actual discrete transistors. (And you'd have to trust the firmware the moment you got to a "real computer", of course, which is actually worse IMO...)

(Of course, the real result is that I read that someone else, who I expect is trustworthy and smarter than me, has run this whole thing and it does in fact work and I can just consume the result, but it's good that people are independently verifying as well)