On Fri, Mar 09, 2018 at 04:49:37PM +0000, Devrandom wrote: > Hi all, > > I have some concerns about the lack of diversity of contributions: > > - most (all?) of the contributions used a distributed Rust toolchain, which > suffers from the "trusting-trust" issue since they are self-compiled. I > don't think I've seen any contributions using the mrustc build path. > - there were very few contributions (two?) using the golang implementation > - no attempt has been made to replicate the deterministic golang build > - people did not capture the binary they used, so we can't do forensics in > case of future questions > - there were no contributions using alternative processor architectures > (e.g. ARM64). I believe this is possible using the golang implementation. > - there was a lot of focus on destroying toxic waste and not enough on the > trustworthiness of the tools
I agree with all these points, particularly the latter: we should be focused on genuine security, not flashy marketing stunts. (indeed, I regret the way my own participation was marketted the last time around) -- https://petertodd.org 'peter'[:-1]@petertodd.org
signature.asc
Description: Digital signature
