Ludovic and friends - On Sun, May 08, 2022 at 12:34:47AM +0200, Ludovic Courtès wrote: > Jan Nieuwenhuizen <[email protected]> skribis: > > Mes has now been ported to M2-Planet and can be bootstrapped using > > stage0-posix[0], starting from the 357-byte hex0 binary of the > > bootstrap-seeds[1], as was promised at FOSDEM'21[2]. > This is amazing… congrats to you & everyone involved! You made it! :-)
+1 > The common objection is: “you’re building from source but you’re not > gonna audit all that source code anyway, so why bother?” [...] > Supply chain security is a spectrum and I think this achievement changes > what we can expect and demand. I've had this conversation before, any my analogy is to the three legs of a stool. Bootstrapped toolchains, reproducible builds, and source-code audits. Each one is arguably useless without the others, but taken together, you've actually accomplished something meaningful. Maybe I should also include "cryptographically signed artifact distribution" on that list. - Larry
