Amazing indeed! On 07 May 2022 at 16:11, Larry Doolittle <[email protected]> wrote: >> The common objection is: “you’re building from source but you’re not >> gonna audit all that source code anyway, so why bother?” [...] >> Supply chain security is a spectrum and I think this achievement changes >> what we can expect and demand. > > I've had this conversation before, any my analogy is to the > three legs of a stool. Bootstrapped toolchains, reproducible builds, > and source-code audits. Each one is arguably useless without the others, > but taken together, you've actually accomplished something meaningful. > Maybe I should also include "cryptographically signed artifact distribution" > on that list. >
In a similar line, Bunnie Huang gave an interesting talk about the hardware trust level a few years ago [0], which led to the Precursor project [1,2]. Cheers, Sébastien [0] https://media.ccc.de/v/36c3-10690-open_source_is_insufficient_to_solve_trust_problems_in_hardware [1] https://www.crowdsupply.com/sutajio-kosagi/precursor [2] https://www.bunniestudios.com/blog/?p=5979
