From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id oFwAKyJ4eWJObwAAbAwnHQ (envelope-from ) for ; Mon, 09 May 2022 22:22:58 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id IBcWKyJ4eWKfpAAA9RJhRA (envelope-from ) for ; Mon, 09 May 2022 22:22:58 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5B0BD31CFA for ; Mon, 9 May 2022 22:22:58 +0200 (CEST) Received: from localhost ([::1]:35370 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1no9uD-0002js-G8 for larch@yhetil.org; Mon, 09 May 2022 16:22:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46298) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1no9tk-0002dd-UU for guix-devel@gnu.org; Mon, 09 May 2022 16:22:31 -0400 Received: from mail-bl0gcc02on2072.outbound.protection.outlook.com ([40.107.89.72]:47136 helo=GCC02-BL0-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1no9ti-0008Tp-OL; Mon, 09 May 2022 16:22:28 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ki+fnSsGzvw/sGt6vOY4UZWKUa2GP07MWCjHcrn65X7m40QFVOWP1M382u4CXcTnz9JembGmz8Jd0wh3i354f4i1f+ETx0iAkjB1pVS3zXdLIrrVtSnKMTy3F3CQwJZWlVFMJj4JItfpc4LDOJXaWS/weIxHqcHORAbVb9lXTf0twBTbAVRvCaNIlyrlq2NtaFPlfwBfIohCx4Tt/OWf6WbhhTVwxbRM9qxGxfhwbhiW8HnXDobJ29NMi3sAK/69Y4A3fOrjkQXBs1P52wYfg5wPLTs9SfISYqyCAutSgCTUfDZsb1rwQjGHk6Spgjs+6LKZZ5iVflkhRpTfPLsibg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bbQVfkLOKMeQQHvdixtrcO8ELetg+qyOHWjQULMG4XI=; b=AVfqXrV/Ejx0X6zujMBX6DKeoK084bfnHoNnWCDm/clnCJdYb6q8+4LQLAMP/T6b6BON83mFkkOsli4L0lGov+2JHCwsczAnrF5iMxdji4X7YklWrAF7ZFnRUDB7LtaMOqtNxERtMXYisVAm6TTXmR7wGAn42jMDQMyYO3RiqINZvYglTlFEKbI8fMWXJVqFpv5vrKqThsgKwAyAnWsaUpl5VM3LkERQ1ht1QkrZFexAZ3zYttrOsDR63n09qht/wD/QFRm7TqGkGZ4Ie2VQs61Jd7P8hBgzIKpCf+m2k5tZio2CB1GP/fwDS/9+dwmokASx/EkyxGShlUSzi9i3Rg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=michigan.gov; dmarc=pass action=none header.from=michigan.gov; dkim=pass header.d=michigan.gov; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=michigan.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bbQVfkLOKMeQQHvdixtrcO8ELetg+qyOHWjQULMG4XI=; b=Y3KQoHsnuXyF3r7C+dp5mHG7gBqxJ+vye+LiNSG2hPqY0j2Q+tgoqnQRy0BRsGkLrz6gsPeFNC5753iNvKbydeC8g8rOPbMxjfjxg0T3kXowxgOWgEkHHRQnoYD1rD/h7G1nyo0McEBmFxdKb3oOIrVhw7eMh7PXSLRd1uKBygE= Received: from PH0PR09MB8217.namprd09.prod.outlook.com (2603:10b6:510:71::5) by PH0PR09MB8316.namprd09.prod.outlook.com (2603:10b6:510:6b::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.22; Mon, 9 May 2022 20:22:22 +0000 Received: from PH0PR09MB8217.namprd09.prod.outlook.com ([fe80::ce:6b54:6e9e:e6f9]) by PH0PR09MB8217.namprd09.prod.outlook.com ([fe80::ce:6b54:6e9e:e6f9%9]) with mapi id 15.20.5227.023; Mon, 9 May 2022 20:22:22 +0000 From: "Orians, Jeremiah (DTMB)" To: General discussions about reproducible builds , =?iso-8859-1?Q?Ludovic_Court=E8s?= CC: Thiago Jung Bauermann , "guix-devel@gnu.org" , "bootstrappable@freelists.org" Subject: RE: GNU Mes 0.24 released Thread-Topic: GNU Mes 0.24 released Thread-Index: AQHYY9/OUjKUkJFkfU2tkQ9lmL0LDa0W+vCg Date: Mon, 9 May 2022 20:22:21 +0000 Message-ID: References: <87fslr4xqd.fsf@gnu.org> <87k0axynso.fsf@gnu.org> <87ilqfo9a4.fsf@kolabnow.com> In-Reply-To: <87ilqfo9a4.fsf@kolabnow.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_2f46dfe0-534f-4c95-815c-5b1af86b9823_Enabled=true; MSIP_Label_2f46dfe0-534f-4c95-815c-5b1af86b9823_SetDate=2022-05-09T20:19:59Z; MSIP_Label_2f46dfe0-534f-4c95-815c-5b1af86b9823_Method=Privileged; MSIP_Label_2f46dfe0-534f-4c95-815c-5b1af86b9823_Name=2f46dfe0-534f-4c95-815c-5b1af86b9823; MSIP_Label_2f46dfe0-534f-4c95-815c-5b1af86b9823_SiteId=d5fb7087-3777-42ad-966a-892ef47225d1; MSIP_Label_2f46dfe0-534f-4c95-815c-5b1af86b9823_ActionId=188bb0dc-c308-42de-a639-e4b0ee1cce31; MSIP_Label_2f46dfe0-534f-4c95-815c-5b1af86b9823_ContentBits=0 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 5c4d4efb-118d-4ee5-efd9-08da31f99f8c x-ms-traffictypediagnostic: PH0PR09MB8316:EE_ x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 0Pmg9R14N2+0ZRorFRZO9MnqiJ+fZbS4dg7mcKhUeQk3n1lKO6t3zBGzCNQzAPjB0GI7pZh5SaIbKIC6mJ7rX0tJeUlArQP2Vjs8f0B66h87YbV7kp7l3pRZhb1OBqAljeN1jJs7lSwIRKQitC/IIGGua89zLJPvre3TfiQLXetYnfa6i/TDmOhD751k4EYW7Uc3TfjUYgw77/abA9BnOW4yWqGa2cg1rlI/B1ElJu1ukSgt7UIpXCh/zv6SDPwvG5FMIV4aYtOrwOPN9iPgrGZ6jLTSlpn8zuGfl5SnU7gjmZVCgCUqGNm1MdeORLqGU99WSMMkDdc/+BVI57mL7uMhQ4MDrwvXDPxUNG0zOBVQm6P80hFf5WtIUkLXBbmjt+hCrm46YBA9x+BWSI5ywd/2tNte9tiQowdueQ7xXFCeVgvG7FLwEwY9gMP4hVids2XMY4YMdua8NMQPpSLFkWKo+uJRAx6NNnBJJ9e0ddalwNcZxjuZypRTNi87vJv5ijiCzXwUbglGf++5Bx8Vo2SMwrcrK1KDT17m55NvfkshzQbgrK39A9sgKEUC9aPt9rLL4QekJpFOHY+b54Jt4toI8CuAp+SxR1n7mFpN7o9Taak2zZWUUOtSimz5Xz8W+jXq8VxlnGqny0F4m1N9OCBGJ0cSYeF/OgETgFOOrEeqXCDiElxk5ogYvQubO/LfFADzU8UeGXIOMZtjESZtF14hIKPetu4GQjy7sVGMQbl+rt3Z4pXu2GtdZB4kjXP5ZCLW0ITDOo2J6yiDkuFR8wv+qHK4ozfAnkkwmkl4OEA= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR09MB8217.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(7116003)(33656002)(66446008)(66556008)(64756008)(66476007)(8676002)(76116006)(66946007)(4326008)(508600001)(186003)(83380400001)(6506007)(71200400001)(26005)(966005)(9686003)(86362001)(54906003)(316002)(7696005)(110136005)(55016003)(8936002)(122000001)(52536014)(4744005)(2906002)(5660300002)(38070700005)(38100700002); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?SBaU8BqcWV0k9BJl2gCncjhNhXeY/lOesI3tXGCFP8xT5xvuG7L8kO48er?= =?iso-8859-1?Q?kjJ/25NyWUMqNpILn1uDZVRLJvzk8qYS3E3/gJNBmcnPvsn83KTo9UugBD?= =?iso-8859-1?Q?KtQ0D3FLBTg4IYRAPFs/Ld8owq9g1zYeyNGWgl/8OaQdacUK3B5mcUYyKa?= =?iso-8859-1?Q?DgEVk1uLqgP81xoPhWGCznZetnO0CS+n1GMnQjtZJbb8EH7ZlPjegTDF89?= =?iso-8859-1?Q?McxhajcGpXdPBwac87x2Xtf7IQlCElnmev9kzhvTPKuG43j2HvUd6Ul0SY?= =?iso-8859-1?Q?gGy/Ih5g0r9RqIQpSP+2fXvKIuKGOtnDycJhOMueDY6w2s+QaRjAfIWTx9?= =?iso-8859-1?Q?c3vSf3YYs7nA6BhbNLrUaWME30k5iS0TkzRCRS1cKwRD6XoavF8utEXCzl?= =?iso-8859-1?Q?jcuDkJv6K/MUs+QFef71NKWeJ+JxGYtI+luvDjOURcj8VwV5SZzLBiGOBU?= =?iso-8859-1?Q?dY0+QjupM8+Y4VD3iTlGCk0FbuNO2On0ap6XEnGX+By/+te3KuQOsblFvx?= =?iso-8859-1?Q?B/MYZHqFHPKXr3zxaNWWADcWU23d3UxLz29VqhbfaMdAxugSstO/xNQ+0E?= =?iso-8859-1?Q?xiwty1j2DJBdbA6o8oJhM+3Kk6CTS1Q+8Yua60Kg3Q66dMG4keC6M+53Be?= =?iso-8859-1?Q?Oln/ijo8EUXoNbL5PvyAjY9cmQvJU1eJvulEQDqmz1g52eLSIrHC+sNFA/?= =?iso-8859-1?Q?GOt9PiWht54mWRgtf/8PztH0KNqKpP52TKkL4PvOnj3eguKprpJLhTCAVW?= =?iso-8859-1?Q?GxA17GlNU18XXGqdcAVxJwZa8n5leVZPYcwbF2gLa8Q9MvwPqxKtCto2tF?= =?iso-8859-1?Q?3cLJrIedW7UsfS8sob5NiIT+lfdBaGaunQFiFNramSnJzTIkuZi3CY01ph?= =?iso-8859-1?Q?Zf5jh0koP2vhKiqSZO7pBBCI/ty71eD7Ws4Nc/hcDdYRGlLndrrGccBDDV?= =?iso-8859-1?Q?aH2wMSAxAi7l1yCUSYFHhd/PeWolkbmYL0+FwKNTZu++VDo962A97xWNwn?= =?iso-8859-1?Q?j7XwQ8A1lLGekA22ys4NvQUuuM6nwV3scTgpqAEiZMJt0UNSeHGrQstB9J?= =?iso-8859-1?Q?KVmzlJk9QAm+GtN4O9/NUJqFNO/LABeD5p0qle7kuhQu/rDvuI1SwyrPAF?= =?iso-8859-1?Q?3DUKoHnE0UB9ABK0XdHAwZ9Q9lmj1Eojbrw5/95cTBSTLw+b9vVQq5WxEl?= =?iso-8859-1?Q?e2LUv2ll+7Z0y+VGVu0vFA2ji7ZXkgZgn5h7s/Xmvbm5Cgmu6hkJBcuRKJ?= =?iso-8859-1?Q?bUJED/Ozbkl7klqBf+5CjJej5pJNZfCSIKAhH+tgge1uLwvfKeSPQpKeqh?= =?iso-8859-1?Q?BCqbdxeWqn7xIwRIFX0AMiNYdsR7smZNQ2Acs/hkEwFO5Y/ozqi9ZvZTmT?= =?iso-8859-1?Q?Y8NvrMCuvtZkIQ3GLc74mCNq+1hrBB7nnZ34eGdA5laXBzcM09x5IA6ldF?= =?iso-8859-1?Q?fJyiQq/quEb5puFkJQBlM9KQMEU/3f8hn/6dFX/jEzQGYEOQDK5RdlHP6g?= =?iso-8859-1?Q?DOFgqt/1B250IeDUumfHqzPFHeFauCee4+zHFu/Wsihx9HYDef6i273fLp?= =?iso-8859-1?Q?vqq7wIUyw9aJWQX6s9lTvMy/hiSGrDVu1Iq09rEeU/B/Rw2cYJT09jPNlY?= =?iso-8859-1?Q?CrFuHvR4OQ/u67JxuelMFFoECl675cZxnPmVT0aQJiXyJ/RJTlBn6FtMa0?= =?iso-8859-1?Q?GYXUuMGshPiNxqnx5IBFuqpAs8JVqgl5BgmoOvRNabGcJU/jMAMrIKk0Zv?= =?iso-8859-1?Q?T9HtWKGsei9jeD92wsF7QzEKIHTv2qU33MW2242boSGnwfrraIKJ8rNAq7?= =?iso-8859-1?Q?NzGjWTjfOg=3D=3D?= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: michigan.gov X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR09MB8217.namprd09.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5c4d4efb-118d-4ee5-efd9-08da31f99f8c X-MS-Exchange-CrossTenant-originalarrivaltime: 09 May 2022 20:22:21.9309 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: d5fb7087-3777-42ad-966a-892ef47225d1 X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR09MB8316 Received-SPF: pass client-ip=40.107.89.72; envelope-from=OriansJ@michigan.gov; helo=GCC02-BL0-obe.outbound.protection.outlook.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1652127778; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=bbQVfkLOKMeQQHvdixtrcO8ELetg+qyOHWjQULMG4XI=; b=XiNzIyEn214sWb1yZtGiOer+hgN7Kyzq9n781/rnC7fGS4Mjk/BUgLc8ftno9TJ9V8LNVa VfSJ2TIgEgJxLqM9v2p1PapO6MPlu7/JLnf0gzusA9StSstbs1goPZxrkgJfrwWo8angvH rNIvaYBI6Z/N3Enh+PN1JVWndSV8uf57guEuEc33Rz7dbWslrvlP7ttDatLnYQ0WdVCXK4 ZHET3N8wtpsbW3OWGTkw3Kn32heRqQK6pH9fIZWdhnF+DPP9q4c9wsui8i7vxMdFw/oV7j SVLaO5FinAUkRC3sp0BAvIQgc3hzsKcMXsbBp8lnwHsKnrE+jz7Vc5pDMCevzQ== ARC-Seal: i=2; s=key1; d=yhetil.org; t=1652127778; a=rsa-sha256; cv=pass; b=A8COZBrpFdt//3qdjsT/rOKIoMZQIgnUTXN7x+qvRf5RehR9gJXOqyyqw/TSJZXwEsyDgj N9J94Bi82bXc1kbBxYUoXqCmQKSpLxQDj64Uxg13negpaBH0YDsUOgLZt/K0tARNLaMPSt Q4mYRUJU6eI0Xw7kb2SEHJkT1D0k6Gw24QrXT1GsLL1oR8Wr/SpBH5GO80/63y63R9prkr sqf1RhGqrdQqUqQjnalLGCfyVD3tP+rJJO6d3TKSHf9rwrnGop2h4+jfgFZkJ4mhcajjsJ CnHgUH0CHWVbv57gD3LE7YqqfxP+Q418U3CNEFznSTj3GresTXDiZTsrLs5NSg== ARC-Authentication-Results: i=2; aspmx1.migadu.com; dkim=pass header.d=michigan.gov header.s=selector2 header.b=Y3KQoHsn; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=michigan.gov; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -6.00 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=michigan.gov header.s=selector2 header.b=Y3KQoHsn; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=michigan.gov; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 5B0BD31CFA X-Spam-Score: -6.00 X-Migadu-Scanner: scn0.migadu.com X-TUID: Y+7P0EBGkgLT >> The common objection is: "you're building from source but you're not=20 >> gonna audit all that source code anyway, so why bother?" I think it's=20 >> akin to security by obscurity. That we collectively can and do fiddle=20 >> with all this code makes a practical difference; that this is all=20 >> transparent means that backdoors become harder to hide. Well from root binaries to Gnu Mes (along with the extras such as sha256sum= , ungz and untar) if printed on single sided paper at size 12 font would be= only 171 pages. So not that hard after all after that you can leverage sha256sums and chain= s of trust to do the rest > I saw a project a while ago with an interesting approach that looks very = interesting for tackling this problem: crowd-sourced, social code > review: > https://github.com/crev-dev/crev Looks interesting -Jeremiah