Rasmus DahlbergOct 29
Filippo Valsorda

Extremely happy to see https://sourcespotter.com, a Go Checksum Database monitor and Go toolchain reproducer by @agwa.

These use the transparency logs we built into the Go supply chain to keep the Google-operated services honest.

You can check your local view of the sumdb matches Source Spotter's with this command:

curl --data-binary "@$(go env GOPATH)/pkg/sumdb/sum.golang.org/latest" https://gossip.api.sourcespotter.com/sum.golang.org

Source Spotter - Supply Chain Security for Go

Source Spotter is a sumdb auditor, module monitor, toolchain reproducer, and telemetry config tracker.

Oct 27 at 1:07pmWeb
Show threadFilippo ValsordaOct 27
Also, Go can be bootstrapped on multiple operating systems and architectures, from multiple C compilers, all the way to perfectly reproducible toolchain tarballs, and Source Spotter is automatically checking!
Show threadMorten LinderudOct 27
@filippo
Hm, I suspect this is one of the few compilers with this property?
Show threadStefan GastOct 27

@filippo Meanwhile, bootstrapping a current OpenJDK involves compiling multiple ancient packages (each with its own set of outdated dependencies, of course) and then going up all the way from Java 7, version by version.

@stikonas has described this tedious process and developed some ebuilds for Gentoo here: https://git.stikonas.eu/andrius/gentoo-bootstrap

This also applies to Rust in a way, but at least it's not as bad there – not yet, as the old versions might eventually succumb to bitrot, too.

Please, dear programming language community, can we do better at this? For resilience, for reproducibility, for reliability, for portability and for preservation?

#bootstrappablebuilds #bootstrapping #reproduciblebuilds #trustingtrust #gentoo #openjdk #rust

gentoo-bootstrap

Gentoo overlay to bootstrap OpenJDK/Rust/Go

Forgejo: Beyond coding. We Forge.
Show threadAndrius ŠtikonasOct 27

@notbobbytables @filippo At least with Rust we have mrustc that is fairy well maintained and gets updated to support newer Rustc versions. And mrustc->rustc bootstrap was even added to main Gentoo tree. Potentially we'll have gccrs too in the future.

But OpenJDK chain just gets longer and longer. On the other hand Java seems to be slowly disappearing from the desktop...

Show threadStefan GastOct 27
@stikonas Yes, mrustc seems to be quite actively maintained, keeping the dependency chain relatively short. Let's hope it stays that way.
Show threadLudovic CourtèsJan 12

@notbobbytables The bootstrap chain for Rust is not all that short unfortunately:
https://guix.gnu.org/en/blog/2018/bootstrapping-rust/

The post is from 2018; mrustc saw improvements in the meantime, but rustc kept moving on…

@stikonas

Bootstrapping Rust — 2018 — Blog — GNU Guix

Blog posts about GNU Guix.

Show threadStefan GastJan 13

@civodul According to its README file, mrustc can compile rustc 1.74.0 nowadays. But I agree, that's quite a lot of steps to get to current 1.94.0.

At least, rustc 1.74.0 is not as ancient as e.g. JamVM 1.5.1 (required for Java).

@stikonas

Show threadAndrius ŠtikonasJan 13
@notbobbytables @civodul I think mrustc for 1.91 is almost ready too. It's generally between very few steps to about 20 to get to the latest rustc. So at least not growing forever like Java does.
Show threadClaus Cramon HoumannOct 27
@filippo @agwa honest meaning what here? What’s the “threat model” in quotes because Google probably isn’t exploiting anyone..?
Show threadFilippo ValsordaOct 27
@claushoumann @agwa not serving backdoored Go modules or toolchains to targeted users
Show threadClaus Cramon HoumannOct 27
@filippo @agwa ah silly me, of course. Was wondering what it might be you thought google would do… some sort of enshittification perhaps;)