[dannymi]

It stops at GNU Mes and hex0.

Bootstrapping everything is exactly how it's done correctly--and how it's actually done in practice in Guix.

I mean sure if you have a business to run you outsource this part to someone else--but you seem to think it's not done at all.

Supply chain attacks have been happening pretty much non-stop the past years. Think it's a good idea to use binary artifacts you don't know how they were made (and thus what's in them)? Especially for build tools, compilers and interpreters.

>And why is that location more valid of a decision than the one that doesn't require building the build system from source?

Because you only have to review a 250 Byte binary (implementing an assembler) manually. Everything else is indeed built from source, including make, all the way up to Pypy, Go, Java and .NET (and indeed Chromium).

[lioeters]

I didn't realize until I read this, but all software engineers would benefit from building everything from source at least once as an educational experience.

I've never gone all the way to the bottom, but now that I know it's possible I cannot resist the challenge to try it.

[charcircuit]

>Because you only have to review a 250 Byte binary

It's dishonest to not mention the millions upon millions of lines of source code you also have to verify to know that dependencies are safe to use. Compiling from source doesn't prevent supply chain attacks from happening.

In my opinion there is more risk in getting a safe Siso binary in going through this whole complicated build everything from scratch process vs Google providing a trusted binary to use since you have to trust more parties to not have been compromised.