December 14, 2022 at 10:52 PM, "Vagrant Cascadian" <vagr...@reproducible-builds.org> wrote: > And yes, you eventually get down to how do you trust hardware... there > are a lot of rabbit holes here, and at the end of the day, you need to > prioritize what is the next important thing is, or what gets you the > most value in the short, medium and long term. > > Bootstrappable and Reproducible Builds is probably more in the medium to > long term realm... yet can demonstrate some benefits almost > immediately... if you only focus on the short term, the long-term work > will never happen. I daresay that what the world needs now is a bit more > long-term thinking in general. > > Hello I'm a skeptic as well but I really admire the efforts of all contributors here. At first it looks like some kind of Don Quixote, Sisyphus fight against unfair by design reality but I hope eventually in the future maybe with some external super-AI suport this big transparency issue could be solved completely.
In my opinion the biggest problem is that we are not able to audit and verify any hardware implementation for this work so it cannot be trusted at all. Controlling hardware is essential and it cannot be replaced by virtualization unless it's based on some innovative blockchain PoW-like crypto agnostic miners. Without at least one wokring fully libre and formally verifiable hardware reference we are doomed to fail. Moreover the very first linux was bootstrapped by MINIX, the very first MINIX was bootstrapped by UNIX and ironically it looks like UNIX was somehow bootstrapped by itself in 1970 (it's a commercial not reproducible by design product anyway ;). After so many years all kind of Free and Open-Source Software is still literally prisoned by vendor-locked hardware, its obfuscated binary seeds and problematic build environments(i.e. to bootstrap linux from hex0 in practice you need to run it on linux anyway https://github.com/fosslinux/live-bootstrap ). The long term perspectives for Bootstrappable and Reproducible builds doesn't look optimistic neither: https://gist.github.com/DavidBuchanan314/a15e93eeaaad977a0fec3a6232c0b8ae (sooner or later other checksums will be breaked as well). Cheers! Martin
