[amir-h]

Fascinating write-up!

Reproducible builds are highly important indeed, though from security perspective we shouldn't assume we're secure because we can reproduce the build.

As Ken Thompson shows us in Reflections on Trusting Trust: backdoors can live in binary form only and the source code may not be telling the full story.

What we need to trust are the entities writing and distributing the packages, of everything. Sadly today there is no way to answer: what is the set of entities I'm trusting by using this package.

[mbakke]

In Guix, every package is derived from a tiny set of "bootstrap binaries", that will soon be reduced to a ~512 byte machine code seed:

https://guix.gnu.org/blog/2020/guix-further-reduces-bootstra...

That means the famous "trusting trust" attack mostly does not apply. There are a few pre-compiled binaries lurking in Guix's dependency graphs, such as GHC, but they will be properly bootstrapped as soon as someone figures out how, see <https://www.bootstrappable.org/projects.html>.

Also important to note that no one is uploading packages to Guix. The CI system builds everything automatically, and you can opt out of "binary substitutes", compile everything locally, and still end up with (mostly) identical binaries.

[amir-h]

Wow that Stage0 project is amazing, didn't realize anyone went that far, thanks for the reference!

A more direct link for other interested readers: https://bootstrapping.miraheze.org/wiki/Stage0

[goohle]

You can trust community as the whole, because uses it own product. Community will protect itself, so you, as regular user, can benefit from that for free. No community - no protection, because the owner of a package is not a user of the product.

[amir-h]

A person that had at some point control of a widely distributed toolchain binary (say a compiler, linker, or even a build tool) can trick an entire comnunity.

[Kalium]

You're absolutely right! You can trust that a community, given sufficient time, will act to protect itself in the long-term and thus individual users. This just might not always be the same as every user being maximally safe at every point in time.

Case in point that gets at both: malicious python and npm packages stealing credentials. They were caught and handled, but not before hitting some people.