Attestation, reproducible builds, and bootstrapping

[Ludovic Courtès <ludo () gnu org>]

Hi,

Brian Behlendorf <brian () behlendorf com> skribis:

> A clear and more formal way of understanding the different levels of
> attestation of one's build environment can be found in the SLSA
> specification. Here's a story about how Google Cloud incorporates it
> into build service:
>
> https://slsa.dev/blog/2022/12/gcb-slsa-verification
>
> Of course attestation is not proof, and even human certification can
> only go so far. Reproducible builds offer a path there but that goal
> seems just as far away as it was 20 years ago, when Java was going to
> solve that for us.

This is not true: reproducible builds are a reality for a number of
distros already and also upstream (for GNU Guix, we measure 85%
reproducibility on 22K packages; Debian might be even higher).

Bootstrapping has also gone a long way: Guix’s package graph is now
rooted in a 357-byte “binary”¹; everything else (with the exception of a
couple of bootstrap compilers such as GHC, for now) is built from
source, in isolated environments.  A similar bootstrap path is used by
freedesktop-sdk².

So I disagree that one has to resort to attestation and certification;
verifiability and auditability are evidently achievable and they provide
much stronger guarantees.

Ludo’.

¹ https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/
² https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/11557