[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How to reduce our vulnerability from self-hosted compilers
From: |
Andreas Enge |
Subject: |
Re: How to reduce our vulnerability from self-hosted compilers |
Date: |
Fri, 27 Feb 2015 22:12:51 +0100 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
Hello,
your ideas sound good to me. As to Fede, it occurred to me that we would
not need to maintain our own bootstrap binaries as we do for the guix system.
Instead, we could add a fixed binary from upstream to the store (as a
separate, probably private, package) and use it to build the final package.
When updating to a newer version, we would keep the same binary bootstrap
package. This would be an easier way of achieving your first goal.
It would not, however, achieve your second goal, of creating new bootstrap
binaries with the old ones, if necessary, and to thus obtain a complete
"trust chain". But I think this would be the second step, and maybe too much
effort for not so much effect.
Let us implement the first step first, and then see where it leads us.
Andreas