Comment on Bonfire & Guix, a love story -- fishinthecalculator
fishinthecalculator@lemmy.ml 1 week agoMy point on binaries was not really about reproducibility as nowadays most distro have reproducible builds: Arch, Debian, RHEL, SUSE and probably more. My point is that packages in Guix are bootstrapped from a very small binary seed, something like 357 bytes, which highly mitigates the risk of Trusting Trust attacks
jim3692@discuss.online 1 week ago
It’s the first time I see the concept of bootstrappability in the context of security.
Is it really worth the effort?
There are multiple ways to run a supply chain attack. With bootstrappability, one can be sure that the compiler is trusted, but what about the code that the compiler compiles? There was this recent attack to XZ utils, which shows that more attention is needed on the code being merged and compiled.
I think that this just creates a false sense of security.
Contrary to that, I had read about a BSD team (I think FreeBSD) that reviews all the code before each release. This way they have achieved ~5 RCE exploits throughout their entire history.
fishinthecalculator@lemmy.ml 1 week ago
I think it’s worth the effort since it prevents numerous risks at the root, for sure it’s not enough. I agree that bootstrapping wouldn’t necessarily solve the XZ attack, but I think that should be solved by big tech paying FOSS maintainers enough or at all to prevent them from burning out.
About the BSD experience that looks like a big amount of work but definitely worth it, I’m sure they didn’t ship many packages as Guix ships but I guess the projects have different goals and requirements.
unhrpetby@sh.itjust.works 1 week ago
XZ was made possible largely because there was unaudited binary data. One part as test data in the repo, and the other part within the pre-built releases. Bootstrapping everything from source would have required that these binaries had an auditable source, thus allowing public eyes to review the code and likely stopping the attack.
Pulled from here: