There was this recent attack to XZ utils, which shows that more attention is needed on the code being merged and compiled.
XZ was made possible largely because there was unaudited binary data. One part as test data in the repo, and the other part within the pre-built releases. Bootstrapping everything from source would have required that these binaries had an auditable source, thus allowing public eyes to review the code and likely stopping the attack.
Pulled from here:
Every unauditable binary also leaves us vulnerable to compiler backdoors as described by Ken Thompson in the 1984 paper Reflections on Trusting Trust and beautifully explained by Carl Dong in his Bitcoin Build System Security talk.
It is therefore equally important that we continue towards our final goal: A Full Source bootstrap; removing all unauditable binary seeds.
fishinthecalculator@lemmy.ml 1 week ago
I think it’s worth the effort since it prevents numerous risks at the root, for sure it’s not enough. I agree that bootstrapping wouldn’t necessarily solve the XZ attack, but I think that should be solved by big tech paying FOSS maintainers enough or at all to prevent them from burning out.
About the BSD experience that looks like a big amount of work but definitely worth it, I’m sure they didn’t ship many packages as Guix ships but I guess the projects have different goals and requirements.