pleroma.debian.social

@ska
Following that logic, since C was developed at AT&T, it must be complete shit.

I think you might be on to something here. /s
@ariadne @dysfun

@ska
So, I understand the need to say that everything is capitalism's fault, but I dunno, perhaps look at the language based on its merits? There's a lot to dislike but also a lot to like in rust, regardless of where it came from. 🙄
@ariadne @dysfun

@ska
We have that, modulo the fact that to bootstrap, you first cross compile on a different platform.

Binaries are really just compiler output; writing and maintaining them by hand has no benefits and only downsides.

I mean, it's not the 1950s anymore.
@ariadne @dysfun @daxtens @dalias
replies
1
announces
0
likes
0

@ska
Reproducible builds is what solves trusting trust. Handwritten binaries isn't; very few people have the skills required to validate those.
@dalias @daxtens @ariadne @dysfun

@ska
Only if the reproducer uses the same compromised tool chain. The whole point of reproducible builds is that you can in fact use your own version of the tool chain and still get the same result.

Cc @reproducible_builds

@ska
Or, well, that the compromise will be exposed, I mean 😉
@reproducible_builds

@ska @reproducible_builds If I build a version of some reproducibly-built software using a compromised tool chain and you built it using a non compromised one, and you shared the relevant bits of the output with me, then we know that one of us has a fishy compiler and the trusting trust issues are discovered.

That still leaves figuring out what happened, of course, but you don't need to be an expert to get this far. With your method of auditing binaries, you do.

@ska @reproducible_builds Note that reproducible builds doesn't necessarily give you bit-for-bit identical binaries, and that's also not necessary. What they give you is a toolkit to figure out which changes are normal results of different build dependencies, and which ones aren't. Things like diffoscope, e.g.

@raboof @ska @reproducible_builds Sure; I meant to say that you can detect trusting trust issues without bit-by-bit identical binaries. Having those makes the detection even easier, of course!