civodul pushed a commit to branch master
in repository maintenance.
commit 96177fba2d3b7515153f5769ee03dca901566891
Author: Ludovic Courtès <[email protected]>
AuthorDate: Mon Apr 4 17:30:56 2022 +0200
programming-2022: Fix typos and wording issues reported by reviewers.
* doc/programming-2022/supply-chain.skb: Fix typos and address minor
wording issues.
---
doc/programming-2022/supply-chain.skb | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/doc/programming-2022/supply-chain.skb
b/doc/programming-2022/supply-chain.skb
index 677fcdd..92b99ce 100644
--- a/doc/programming-2022/supply-chain.skb
+++ b/doc/programming-2022/supply-chain.skb
@@ -187,12 +187,13 @@ common. The consequences of an attack on the software
supply chain can
be tragic in a society that relies on many interconnected software
systems, and this has led research interest as well as governmental
incentives for supply chain security to rise.])
- (p [GNU Guix is a software deployment tool that supports provenance
+ (p [GNU Guix is a software deployment tool and software
+distribution that supports provenance
tracking, reproducible builds, and reproducible software environments.
-Guix is first and foremost source code: it provides a set of package
-definitions that describe how to build code from source. Together,
-these properties set it apart from many deployment tools that center on
-the distribution of binaries.])
+Unlike many software distributions, it consists exclusively of source
+code: it provides a set of package definitions that describe how to
+build code from source. Together, these properties set it apart from
+many deployment tools that center on the distribution of binaries.])
(p [This paper focuses on one research question: how can Guix and
similar systems allow users to securely update their software? Guix
source code is distributed using the Git version control system;
@@ -352,7 +353,7 @@ and similar “container tools” to run the software on any
other
machine.])
(p [Last, Guix can be used as a standalone GNU/Linux
-distribution called Guix System. Its salient feature are that it lets
+distribution called Guix System. Its salient feature is that it lets
users declare the ,(emph [whole system configuration])—from user
accounts, to services and installed packages—using a domain-specific
language (DSL) embedded in Scheme, a functional programming language of
@@ -471,7 +472,7 @@ and verifiable using the same Guix revision, they were just
that: around
(p [In 2017, Nieuwenhuizen ,(it [et al.]) sought to address
this forty-year-old problem at its root: by ensuring no opaque binaries
appear at the bottom of the package dependency graph—no less ,(ref :bib
-'janneke:mes-web). To that end, Nieuwenhuizen developed GNU Mes, a
+'(janneke:mes-web courant2022:ocamlboot)). To that end, Nieuwenhuizen
developed GNU Mes, a
small interpreter of the Scheme language written in C, capable enough to
run MesCC, a non-optimizing C compiler. MesCC is then used to build
TinyCC, a more sophisticated C compiler written in C, in turn used to
@@ -603,7 +604,7 @@ metadata such as references to the latest commit of a
branch, is ,(emph
(p [Git supports ,(emph [signed commits]). A signed commit
includes an additional header containing an ASCII-armored OpenPGP
-signature computer over the other headers of the commit. By signing a
+signature computed over the other headers of the commit. By signing a
commit, a Guix developer asserts that they are the one who made the
commit; they may be its author, or they may be the person who applied
somebody else’s changes after review. Checkout authentication requires
@@ -1029,7 +1030,7 @@ verifying signatures in-process, and dismissing
unnecessary OpenPGP
features. The go-to technique of spawning GnuPG and Git processes to
verify each commit signature would have been prohibitively expensive.
Instead, to traverse the Git commit graph, we use libgit2, a C library
-that implements the Git “protocols”, ,(it [via]) its Guile-Git bindings.])
+that implements the Git “protocols” ,(it [via]) its Guile-Git bindings.])
(p [We also have an OpenPGP implementation for GNU Guile, the
implementation language of Guix. This OpenPGP implementation is limited
