From: ndre <nandre@riseup.net>
To: help-guix@gnu.org
Subject: Re: How to present Guix to a wider audience
Date: Tue, 21 Jan 2020 18:49:40 -0300 [thread overview]
Message-ID: <20200121214940.GA7192@andel> (raw)
In-Reply-To: <874kwyp9hi.fsf@ambrevar.xyz>
[-- Attachment #1: Type: text/plain, Size: 5205 bytes --]
Hello,
ter 14 jan 2020 às 12:23:37 (1579015417), mail@ambrevar.xyz enviou:
> I just wrote a short draft which hopefully should explain in layman
> terms why Guix matters.
>
> I tried to keep short (< 1000 words) and to stick to non-technical vocabulary.
>
> Let me know what you think!
Nice work Pierre. I have only some small suggestions. Even though I've increased
the number of characters, I think the result is more friendly on the reader.
> #+TITLE: Why Guix matters
---> SNIP unmodified text.
> * The assembly line of software
>
> Applications are /written/ in the form of /source code/, which is a series of
> instructions for the computer stored as text files. But the machine cannot read
> theses files directly: it must first be /compiled/ into /machine code/. The
> resulting /compiled application/ can then be run by the user.
I'd slightly change this introduction to present source code, machine code and
compilers in more familiar terms if we are targeting a broader audience, since
they might sound as tech jargon at first. Thus the above text could be
something like:
"Applications are /written/ in programming languages, which are specialized human
languages made up to give instructions to computers. As such, they are usually a
subset of English language with a special syntax which purports to avoid ambiguity.
But computers cannot understand these human languages, in fact they can only
/understand/ machine language, which are series of operating instructions coded
with numbers.
So, in order to run an application on a computer, someone has to translate it
from the programming language in which it was written to the target machine
language which the computer /understands/. This is the work of /compilers/,
which are specialized software that automate the translation task. The result
of their translation to machine language is called /compiled code/. The program
as expressed on a programming language is called /source code/."
> While source code access gives you a pretty high level of transparency and
> allows you to inspect what the program will do, compiled programs are a
> practically unreadable sequence of 1 and 0. They are effectively /black boxes/.
And this one as follows:
"Now while the source code is intelligible to humans and offers a pretty high
level of transparency of its logic, compiled code is a virtualy unreadable
sequence of numbers. In order to understand it, a human would have to decode
the numbers to the appropriate instructions, do the binary arithmetic they
represent and have intimate knowledge of the hardware. Moreover, one instruction
on source code translates to several coded instructions on machine language.
Thus, they are effectively /black boxes/."
> * Open source is not enough
>
> We might be tempted to think that free open source software gives us
> transparency about what's in the application. While the compiled application we
> download from the Internet is a black box, we could just compile the source code
> ourselves and compare the result with the downloaded application, right? If it's
> identical, then we are good.
>
> So why is free, open source software not trustworthy then? Because when you
compile the source code twice, chances are that you'll get slightly different
sequences of numbers. So how can you know that the compiled software you've
downloaded is in fact a proper translation of the source code instead of some
modified version of it?
>
> In practice this means that it's almost always impossible to /reproduce/ the
> exact same compiled application that is offered for download.
>
Notice that it's enough that merely one 0 or 1 got flipped for the behaviour
> of the application to change completely. In other words, if two applications
> are not identical to the bit, everything can happen and all trust vanishes.
>
> This lack of reliability in the compilation of applications comes from the
> "chaos" in the machine environment: slightly different software used for
> compilation (e.g. different versions), different hardware, different date...
> The slightest difference in the compilation environment is susceptible to flip a
> bit.
>
> This is called the /reproduciblity/ problem.
>
> * Software is made with software
>
> The compiler is also an application that must be compiled, by another compiler,
> from some source code. The same applies to this other compiler, and so on. It
> seems to be a chicken and egg problem: can we ever trust any compiler then?
>
> It is actually possible: if we go up the chain of compilers far enough, we reach
a level where have a trivial "machine level" compiler that can build a simple
compiler from source.
> This machine-readable file is small enough that it is no longer a black box and
can be inspected by humans and it is also the only piece of software which needs
the tedious decoding process done. This simpler compiler can in turn build a more
> complex compiler, etc., until we get today's compilers.
>
> This is called the /bootstrappability/ problem.
>
---> SNIP all the rest.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 841 bytes --]
next prev parent reply other threads:[~2020-01-21 21:50 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-02 10:03 How to present Guix to a wider audience Pierre Neidhardt
2020-01-02 18:18 ` zimoun
2020-01-08 15:33 ` Pierre Neidhardt
2020-01-08 16:32 ` Ricardo Wurmus
2020-01-08 20:18 ` zimoun
[not found] ` <24DdUL_0dCHlf-Jsotb_z0Mxz7kuUpI_FeBoRrbgJUypYRxvic9u3GhPfBwAiz5ZGjRxITivscu59w_-BPA2cIY_wSbypis89M7Jb8AglBM=@protonmail.com>
[not found] ` <CAJ3okZ1CQ1zvbHnFT6EmB+yYFwcAszZ0baroyj03LzTK7AhBXw@mail.gmail.com>
2020-01-10 9:52 ` wisdomlight--- via
2020-01-10 12:19 ` Pierre Neidhardt
2020-01-02 19:20 ` Ricardo Wurmus
2020-01-08 15:26 ` Pierre Neidhardt
2020-01-14 11:23 ` Pierre Neidhardt
2020-01-14 15:58 ` Jack Hill
2020-01-14 17:00 ` Pierre Neidhardt
2020-01-14 21:01 ` Jack Hill
2020-01-14 23:44 ` Dimakakos Dimos
2020-01-15 0:07 ` Vagrant Cascadian
2020-01-15 8:52 ` Pierre Neidhardt
2020-01-15 0:20 ` Josh
2020-01-15 8:57 ` Pierre Neidhardt
2020-01-15 5:59 ` Arun Isaac
2020-01-15 8:53 ` Pierre Neidhardt
2020-01-15 8:59 ` Pierre Neidhardt
2020-01-15 17:44 ` sirgazil
2020-01-19 11:03 ` Todor Kondić
2020-01-19 15:57 ` wisdomlight
2020-01-21 21:49 ` ndre [this message]
2020-01-22 11:00 ` Pierre Neidhardt
2020-01-22 17:35 ` Pierre Neidhardt
2020-01-23 14:44 ` Kelsang Sherab
2020-01-23 21:25 ` Pierre Neidhardt
2020-02-11 7:45 ` Pierre Neidhardt
2020-02-11 17:38 ` Josh Marshall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200121214940.GA7192@andel \
--to=nandre@riseup.net \
--cc=help-guix@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.