about summary refs log tree commit diff
path: root/result.pdfpc
diff options
context:
space:
mode:
Diffstat (limited to 'result.pdfpc')
-rw-r--r--result.pdfpc65
1 files changed, 30 insertions, 35 deletions
diff --git a/result.pdfpc b/result.pdfpc
index a2bb72a566bb..b0fa6c9a0ef8 100644
--- a/result.pdfpc
+++ b/result.pdfpc
@@ -1,7 +1,7 @@
 [file]
 result
 [last_saved_slide]
-15
+10
 [font_size]
 20000
 [notes]
@@ -11,18 +11,15 @@ result
 - unless you built it from scratch (spoiler: you haven't) you're *trusting* someone
 
 Agenda: Implications of trust with focus on bootstrap paths and reproducibility, plus how you can help.### 2
+self-hosting:
+- C-family: GCC pre/post 4.7, Clang
+- Common Lisp: Sunshine land! (with SBCL)
+- rustc: Bootstrap based on previous versions (C++ transpiler underway!)
+- many other languages also work this way!
 
-- when making a new programming language, becoming self-hosted is an important milestone
-- you enforce consistency & reliability for yourself as the user of your language
-- you dogfeed all aspects of your language
-- however: if you only have one compiler, you now need that compiler to compile itself.
+(Noteable counterexample: Clojure is written in Java!)### 3
 
-This is very common!
-
-- C compilers: GCC<4.7, Clang (itself & by gcc)
-- SBCL reproducible & bootstrappable since 2004
-- rustc has hard dependency on previous version
-- Go has gccgo & Go compiler (one-directional)### 3
+- compilers are just one bit, the various runtimes exist, too!### 4
 
 Could this be exploited?
 
@@ -30,14 +27,14 @@ People don't think about where their compiler comes from.
 
 Even if they do, they may only go so far as to say "I'll just recompile it using <other compiler>".
 
-Unfortunately, spoiler alert, life isn't that easy in the computer world and yes, exploitation is possible.### 4
+Unfortunately, spoiler alert, life isn't that easy in the computer world and yes, exploitation is possible.### 5
 
 - describe what a quine is
 - classic Lisp quine
 - explain demo quine
 - demo demo quine
 
-- this is interesting, but not useful - can quines do more than that?### 5
+- this is interesting, but not useful - can quines do more than that?### 6
 
 - quine-relay: "art project" with 128-language circular quine
 
@@ -45,7 +42,7 @@ Unfortunately, spoiler alert, life isn't that easy in the computer world and yes
 
 - (demo quine relay?)
 
-- side-note: this program is very, very trustworthy!### 6
+- side-note: this program is very, very trustworthy!### 7
 
 Ken Thompson (designer of UNIX and a couple other things!) received Turing award in 1983, and described attack in speech.
 
@@ -53,7 +50,7 @@ Ken Thompson (designer of UNIX and a couple other things!) received Turing award
 - make that modification a quine
 - insert modification into new compiler
 - add attack code to modification
-- remove attack from source, distributed binary will still be compromised! it's like evolution :)### 7
+- remove attack from source, distributed binary will still be compromised! it's like evolution :)### 8
 
 damage potential is basically infinite:
 
@@ -64,16 +61,22 @@ damage potential is basically infinite:
 
 - you can probably think of more!### 10
 
+idea being: potential vulnerability would have to work across compilers:
+
+the more compilers we can introduce (e.g. more architectures, different versions, different compilers), the harder it gets for a vulnerability to survive all of those
+
+The more compilers, the merrier! Lisps are pretty good at this.### 11
+
 if we get a bit-mismatch after DDC, not all hope is lost: Maybe the thing just isn't reproducible!
 
 - many reasons for failures
 - timestamps are a classic! artifacts can be build logs, metadata in ZIP-files or whatever
 - non-determinism is the devil
-- sometimes people actively introduce build-randomness (NaCl)### 11
+- sometimes people actively introduce build-randomness (NaCl)### 12
 
 - Does that binary download on the project's website really match the source?
 
-- Your Linux packages are signed by someone - cool - but what does that mean?### 12
+- Your Linux packages are signed by someone - cool - but what does that mean?### 13
 
 Two things should be achieved - gross oversimplification - to get to the ideal "desired state of the union":
 
@@ -81,11 +84,11 @@ Two things should be achieved - gross oversimplification - to get to the ideal "
 
 2. when packages are distributed, we should be able to know the expected output of a source package beforehand
 
-=> suddenly binary distributions become a cache! But more on Nix later.### 13
+=> suddenly binary distributions become a cache! But more on Nix later.### 14
 
 - Debian project does not seem as concerned with bootstrapping as with reproducibility
 - Debian mostly bootstraps on new architectures (using cross-compilation and similar techniques, from an existing binary base)
-- core bootstrap (GCC & friends) is performed with previous Debian version and depending on GCC### 14
+- core bootstrap (GCC & friends) is performed with previous Debian version and depending on GCC### 15
 
 ... however! Debian cares about reproducibility.
 
@@ -95,40 +98,32 @@ Two things should be achieved - gross oversimplification - to get to the ideal "
 
 < show reproducible builds website >
 
-Debian is still fundamentally a binary distribution though, but it doesn't have to be that way.### 15
+Debian is still fundamentally a binary distribution though, but it doesn't have to be that way.### 16
 
 Nix - a purely functional package manager
 
 It's not a new project (10+ years), been discussed here before, has multiple components: package manager, language, NixOS.
 
-Instead of describing *how* to build a thing, Nix describes *what* to build:### 16
-### 17
-
-- Nix creates repeatable, environments for builds with only the things requested in the build configuration
-
-- Nothing "leaks" in from the outside: no "works on my machine", pinned timestamps, etc.
-
-- packages and all their inputs can be hashed together and used to address a cache -> binary distribution is a side effect of having a cache
-
-- NixOS specifically has some other cool features we can look at later!### 18
+Instead of describing *how* to build a thing, Nix describes *what* to build:### 17
+### 19
 
 In Nix, it's impossible to say "GCC is the result of applying GCC to the GCC source", because that happens to be infinite recursion.
 
 Bootstrapping in Nix works by introducing a binary pinned by its full-hash, which was built on some previous Nix version.
 
-Unfortunately also just a magic binary blob ... ### 19
+Unfortunately also just a magic binary blob ... ### 20
 
 NixOS is not actively porting all of Debian's reproducibility patches, but builds are fully repeatable:
 
 - introducing a malicious compiler would produce a different input hash -> different package
 
-Future slide: hope is not lost! Things are underway.### 20
+Future slide: hope is not lost! Things are underway.### 21
 
 - bootstrappable.org (demo?) is an umbrella page for several projects working on bootstrappability
 
 - stage0 is an important piece: manually, small, auditable Hex programs to get to a Hex macro expander
 
-- end goal is a full-source bootrap, but pieces are missing### 21
+- end goal is a full-source bootrap, but pieces are missing### 22
 
 MES is out of the GuixSD circles (explain Guix, GNU Hurd joke)
 
@@ -137,11 +132,11 @@ MES is out of the GuixSD circles (explain Guix, GNU Hurd joke)
 - includes MesCC in Scheme -> can *almost* make a working tinyCC -> can *almost* make a working gcc 4.7
 
 - minimal Scheme interpreter, currently built in C to get the higher-level stuff to work, goal is rewrite in hex
-- bootstrapping Guix is the end goal### 22
+- bootstrapping Guix is the end goal### 23
 
 - userspace in Darwin has a Nix project
 - unsure about other BSDs, but if anyone knows - input welcome!
 - F-Droid has reproducible Android packages, but that's also userspace only
 - All other mobile platforms are a lost cause
 
-Generally, all closed-source software is impossible to trust.### 23
+Generally, all closed-source software is impossible to trust.