@nixos_org @nzbr

While we're on the topic: work on minimal-bootstrap in #nixpkgs has actually been picked up again since this thesis was written (October 2025).

Not only that but, as of a few hours ago, the PR implementing the last step of hooking it up to become the actual bootstrap stdenv in Nixpkgs has been merged!

https://github.com/NixOS/nixpkgs/pull/479322

#fullsourcebootstrap #reproduciblebuilds #stage0 #minimalbootstrap #bootstrappablebuilds

@filippo Meanwhile, bootstrapping a current OpenJDK involves compiling multiple ancient packages (each with its own set of outdated dependencies, of course) and then going up all the way from Java 7, version by version.

@stikonas has described this tedious process and developed some ebuilds for Gentoo here: https://git.stikonas.eu/andrius/gentoo-bootstrap

This also applies to Rust in a way, but at least it's not as bad there – not yet, as the old versions might eventually succumb to bitrot, too.

Please, dear programming language community, can we do better at this? For resilience, for reproducibility, for reliability, for portability and for preservation?

#bootstrappablebuilds #bootstrapping #reproduciblebuilds #trustingtrust #gentoo #openjdk #rust

Edit: Added &c=my-comment to the URL,
please like my comment, or otherwise help me to reach LaurieWired? Boost=❤️ #askfedi

@regtur @reproducible_builds @guix @ekaitz_zarraga
@nlnet
@fsf
@fsfe
@gnutools
Seems #fedi didn't do their thing just yet, so I logged into the Evil Empire and added a comment. Not sure if that will do any good, tho. I guess maybe one or two of you who read this, and still have a Google account, could like my comment, but there are already comments with > 3K likes, so yeah.

Also, no idea how to reach them; they're talking about trust, and then only seem to on Big Tech platforms like TPPKAB (the platform previously known as birdsite), instagram, etc.

<https://www.youtube.com/watch?v=Fu3laL5VYdM&lc=UgxAf-w-tTYM5syB3x94AaABAg>
#bootstrappablebuilds #guix #gnu #reproducibleBuilds #supplyChainSecurity #trustingTrust

@regtur
Wait what? #GNU #Mes isn't being mentioned? Not even in the comments?
Fediverse do your thing!

cc: @lauriewired @reproducible_builds
@guix
@ekaitz_zarraga
@nlnet #bootstrappable
#bootstrappablebuilds
#guix
#trustingtrust

Note to self:

I must admit I probably could have used a slide about why #ReproducibleBuilds is important in my talk yesterday.

More and more I would like to stress that reproducible builds are most importantly about being able to say that a given artifact was produced from specific bit of source code, and all of the security and other benefits derive directly or indirectly from that.

Ideally you can recursively make such assertions all the way down, and you end up with #BootstrappableBuilds