|
|
|
|
|
|
by mbakke
1732 days ago
|
|
|
In Guix, every package is derived from a tiny set of "bootstrap binaries", that will soon be reduced to a ~512 byte machine code seed: https://guix.gnu.org/blog/2020/guix-further-reduces-bootstra... That means the famous "trusting trust" attack mostly does not apply. There are a few pre-compiled binaries lurking in Guix's dependency graphs, such as GHC, but they will be properly bootstrapped as soon as someone figures out how, see <https://www.bootstrappable.org/projects.html>. Also important to note that no one is uploading packages to Guix. The CI system builds everything automatically, and you can opt out of "binary substitutes", compile everything locally, and still end up with (mostly) identical binaries. |
|
|
A more direct link for other interested readers: https://bootstrapping.miraheze.org/wiki/Stage0