Re: Risks of deterministic builds

[Jan Nieuwenhuizen]

Jean Louis writes:

> * Jan Nieuwenhuizen <janneke@gnu.org> [2021-04-08 16:43]:
>> Martin writes:
>> 
>> > Maybe freedom in "free software" shouldn't require from the code to be
>> > open neither. Let's just blindly trust some saint developers who
>> > cannot even control their own binaries. Actually today we are closer
>> > and closer to that sad scenario like never before in the history,
>> > because in fact most of the open-source and GNU "free software"
>> > nowadays base on blackboxed binary seeds that cannot be verified by
>> > the users not even by the core developers.
>> 
>> The bootstrappable project, GNU Mes and GNU Guix are working to fix that
>> 
>>     
>> https://guix.gnu.org/en/blog/2020/guix-further-reduces-bootstrap-seed-to-25/
>>     https://fosdem.org/2021/schedule/event/gnumes/
>
> Janneke, that is probably most important step for GNU and free
> software in general.

Thanks, we believe so too.

> I have read it, and researching, but yet do not get how to start. I
> have downloaded stage0, is that the place to start?

It's currently not very easy to do this all by hand.  Easiest to see
what's happening would be to use Guix: the bootstrap is fully "scripted"
there by packages and their dependencies.  If you look at:

    
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/commencement.scm?h=wip-full-source-bootstrap

you can see it all starts with 'bootstrap-seeds'.  You can "build" that
package (the seeds are just a download, of course) by (checking out
the guix wip-full-source-bootstrap branch, building it) and, doing

    $ ./pre-inst-env guix build -e '(@@ (gnu packages commencement) 
bootstrap-seeds)'
    /gnu/store/sg0fxjd0pyfn5sm0m33227i3rz32l6z6-bootstrap-seeds-1.0.0

and you'll see the 357-byte hex0-seed in there.  This is used to build
the 'm2-planet-boot' package which uses kaem scripts (any shell will
do) to build hex0, hex1, M0, M1, hex2 and m2-planet:

    $ ./pre-inst-env guix build -e '(@@ (gnu packages commencement) 
m2-planet-boot)'
    /gnu/store/qxsd6zg910zjgwsm13c39hys2g931ij8-m2-planet-boot-1.7.0-31-g358b6cf

then onto mes-boot

    $ ./pre-inst-env guix build -e '(@@ (gnu packages commencement) mes-boot)'
    /gnu/store/dfwkand25k6nsmrk85p8hsa1yq74y314-mes-boot-0.22-305-g2ab4c5c67

and so on.  In fact, each time you build or install a package using
Guix, these (bootstrap) dependencies are resolved and -if necessary- all
built automagically.

The first working version of 'wip-full-source-bootstrap' triggered the
'live-bootstrap' effort:

    https://github.com/fosslinux/live-bootstrap

aiming to script/redo (change, improve, ...) this bootstrap outside
of/without Guix.

Greetings,
Janneke

-- 
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com