Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 24 May 2023 22:57:39 +0200
From: Ludovic Courtès <>
To: Brian Behlendorf <>
Subject: Attestation, reproducible builds, and bootstrapping


Brian Behlendorf <> skribis:

> A clear and more formal way of understanding the different levels of
> attestation of one's build environment can be found in the SLSA
> specification. Here's a story about how Google Cloud incorporates it
> into build service:
> Of course attestation is not proof, and even human certification can
> only go so far. Reproducible builds offer a path there but that goal
> seems just as far away as it was 20 years ago, when Java was going to
> solve that for us.

This is not true: reproducible builds are a reality for a number of
distros already and also upstream (for GNU Guix, we measure 85%
reproducibility on 22K packages; Debian might be even higher).

Bootstrapping has also gone a long way: Guix’s package graph is now
rooted in a 357-byte “binary”¹; everything else (with the exception of a
couple of bootstrap compilers such as GHC, for now) is built from
source, in isolated environments.  A similar bootstrap path is used by

So I disagree that one has to resort to attestation and certification;
verifiability and auditability are evidently achievable and they provide
much stronger guarantees.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.