Chris Marusich <cmmarus...@gmail.com> writes: > Leo Famulari <l...@famulari.name> writes: > >> `wget https://blob` doesn't count as reproducible :) > > Very true. > > Self-hosting compilers are a cute trick, but they're a far cry from > being reproducible. They're just inscrutable binary blobs. If we want > true reproducibility from the bottom up, then it seems like the only way > to do it is via a strategy like the following: > > 1) Write the simplest possible program (or collection of programs) in > the simplest possible machine code. This program serves only one > purpose: to enable you to write more code at a higher level of > abstraction. It is effectively a compiler for a very primitive > language, but the language it compiles will be one layer of abstraction > above machine code, which is a step in the right direction. This first > program must be a "binary blob", since we cannot rely on any existing > tools to build it. It must be simple enough that someone can read and > understand it using e.g. a hex editor, provided that they have access to > the right reference materials. Since this program exists only as > machine code, it must be documented thoroughly to make it easier to > understand. > > 2) Write source code which, when compiled using the compiler/toolchain > From the previous step, produces a new compiler/toolchain that will > allow you to write more expressive source code at a higher layer of > abstraction. > > 3) Repeat step (2) as many times as necessary to produce a compiler that > is capable of compiling GCC from source. > > 4) Use the compiler from (3) to compile GCC from source. > > 5) Use the GCC from (4) to compile the rest of the world from source. > > If we want to free ourselves from reliance on inscrutable binary blobs, > isn't something like that the only way?
Sorry for replying to my own post, but I couldn't help myself. If anyone thinks the above sounds too paranoid, remember the Ken Thompson hack: http://www.c2.com/cgi/wiki?TheKenThompsonHack Chilling! -- Chris
signature.asc
Description: PGP signature
