RE: GNU Mes 0.24 released - Orians, Jeremiah (DTMB)

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: "Orians, Jeremiah (DTMB)" <OriansJ@michigan.gov>
To: "General discussions about reproducible builds"
	<rb-general@lists.reproducible-builds.org>,
	"Ludovic Courtès" <ludo@gnu.org>
Cc: Thiago Jung Bauermann <bauermann@kolabnow.com>,
	"guix-devel@gnu.org" <guix-devel@gnu.org>,
	"bootstrappable@freelists.org" <bootstrappable@freelists.org>
Subject: RE: GNU Mes 0.24 released
Date: Mon, 9 May 2022 20:22:21 +0000	[thread overview]
Message-ID: <PH0PR09MB8217E6DFF094A893FA541012C6C69@PH0PR09MB8217.namprd09.prod.outlook.com> (raw)
In-Reply-To: <87ilqfo9a4.fsf@kolabnow.com>

>> The common objection is: "you're building from source but you're not 
>> gonna audit all that source code anyway, so why bother?"  I think it's 
>> akin to security by obscurity.  That we collectively can and do fiddle 
>> with all this code makes a practical difference; that this is all 
>> transparent means that backdoors become harder to hide.
Well from root binaries to Gnu Mes (along with the extras such as sha256sum, ungz and untar) if printed on single sided paper at size 12 font would be only 171 pages.
So not that hard after all after that you can leverage sha256sums and chains of trust to do the rest

> I saw a project a while ago with an interesting approach that looks very interesting for tackling this problem: crowd-sourced, social code
> review:
> https://github.com/crev-dev/crev
Looks interesting

-Jeremiah

     prev parent reply	other threads:[~2022-05-09 20:22 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-02 18:04 GNU Mes 0.24 released Jan Nieuwenhuizen
2022-05-07 22:34 ` Ludovic Courtès
2022-05-07 23:11   ` Larry Doolittle
2022-05-08 13:55     ` Sébastien Lerique
2022-05-08 19:49       ` Larry Doolittle
2022-05-09 14:00     ` indieterminacy
2022-05-09  0:03   ` Thiago Jung Bauermann
2022-05-09 20:22     ` Orians, Jeremiah (DTMB) [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=PH0PR09MB8217E6DFF094A893FA541012C6C69@PH0PR09MB8217.namprd09.prod.outlook.com \
    --to=oriansj@michigan.gov \
    --cc=bauermann@kolabnow.com \
    --cc=bootstrappable@freelists.org \
    --cc=guix-devel@gnu.org \
    --cc=ludo@gnu.org \
    --cc=rb-general@lists.reproducible-builds.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).