* GNU Mes 0.24 released
@ 2022-05-02 18:04 Jan Nieuwenhuizen
2022-05-07 22:34 ` Ludovic Courtès
0 siblings, 1 reply; 8+ messages in thread
From: Jan Nieuwenhuizen @ 2022-05-02 18:04 UTC (permalink / raw)
To: info-gnu; +Cc: guix-devel, rb-general, bootstrappable
[-- Attachment #1: Type: text/plain, Size: 5049 bytes --]
We are thrilled to announce the release of GNU Mes 0.24, representing
222 commits over one year by four people.
Mes has now been ported to M2-Planet and can be bootstrapped using
stage0-posix[0], starting from the 357-byte hex0 binary of the
bootstrap-seeds[1], as was promised at FOSDEM'21[2].
We are exciteda that the NlNet Foundation[4] is again sponsoring this
work!
What's next?
Work to integrate this so-called "Full Source Bootstrap" is happening on
the wip-full-source-bootstrap[3] branch. Also, full Guile compatible
module support, and RICS-V support.
Enjoy!
* About
GNU Mes[5] is a Scheme interpreter and C compiler for bootstrapping
the GNU System. Since version 0.22 it has again helped to halve the
size of opaque, uninspectable binary seeds that are currently being
used in the Reduced Binary Seed bootstrap[6] of GNU Guix[7]. The
final goal is to help create a full source bootstrap as part of the
bootstrappable builds[8] effort for UNIX-like operating systems.
The Scheme interpreter is written in ~5,000 LOC of simple C, and the C
compiler written in Scheme and these are mutual self-hosting. Mes can
now be bootstrapped from M2-Planet[9] and Mescc-Tools[10].
Mes has a Garbage Collector, a library of loadable Scheme modules--
notably Dominique Boucher's LALR[11], Pre-R6RS portable
syntax-case[12] with R7RS ellipsis, Matt Wette's Nyacc[13] --and test
suite, just enough to support a REPL and a C99 compiler: mescc.
Mes + MesCC + Mes C Library can build a bootstrappable TinyCC[14] that
is self-hosting. Using this tcc and the Mes C library we now have a
Reduced Binary Seed bootstrap for the gnutools triplet: glibc-2.2.5,
binutils-2.20.1, gcc-2.95.3. This is enough to bootstrap Guix for
i686-linux, x86_64-linux, armhf-linux and aarch64-linux.
Mes is inspired by The Maxwell Equations of Software: LISP-1.5[15] --
John McCarthy page 13, GNU Guix's source/binary packaging transparency
and Jeremiah Orians's stage0[16] 357-byte self-hosting hex assembler.
* Download
git clone git://git.savannah.gnu.org/mes.git
Here are the compressed sources and a GPG detached signature[*]:
https://ftp.gnu.org/gnu/mes/mes-0.24.tar.gz
https://ftp.gnu.org/gnu/mes/mes-0.24.tar.gz.sig
Use a mirror for higher download bandwidth:
https://ftpmirror.gnu.org/mes/mes-0.24.tar.gz
https://ftpmirror.gnu.org/mes/mes-0.24.tar.gz.sig
Here are the SHA1 and SHA256 checksums:
f6681aa02edc6729af43f1d7c46ae1a97cbc1c92 mes-0.24.tar.gz
828be15e02c103df8a248232491fba10d763724d6ec10f08a2e0e1d249bd9902 mes-0.24.tar.gz
[*] Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact. First, be sure to download both the .sig file
and the corresponding tarball. Then, run a command like this:
gpg --verify mes-0.24.tar.gz.sig
If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to update
or refresh it, and then rerun the 'gpg --verify' command.
gpg --recv-keys 1A858392E331EAFDB8C27FFBF3C1A0D9C1D65273
* Get informed, get involved
See https://bootstrappable.org
Join #bootstrappable on irc.libera.chat
* NEWS
* Changes in 0.24 since 0.23
** Core
*** Mes and Mes C Library can now be built with M2-Planet.
*** Mes now supports the --bootstrap build on ARM.
** MesCC
*** MesCC now supports the integer suffixes:
Next to `U', also support `ULL', `UL', `L', and `LL'.
** Noteworthy bug fixes
*** MesCC now uses the unsigned type for sizeof.
*** MesCC now only uses signed division if numerator is signed.
*** The Mes C library now supports an argv bigger than 255.
*** Development build support with Guile-2 was resurrected.
*** The logand procedure now works correctly.
*** The 64bit build was resurrected.
* Links
[0] https://github.com/oriansj/stage0-posix
[1] https://github.com/oriansj/bootstrap-seeds
[2] https://archive.fosdem.org/2021/schedule/event/gnumes/
[3] https://git.savannah.gnu.org/cgit/guix.git/log/?h=wip-full-source-bootstrap
[4] https://nlnet.nl/project/GNUMes-ARM_RISC-V
[5] https://www.gnu.org/software/mes
[6] https://guix.gnu.org/blog/2020/guix-further-reduces-bootstrap-seed-to-25
[7] https://www.gnu.org/software/guix
[8] https://bootstrappable.org
[9] https://github.com/oriansj/m2-planet
[10] https://savannah.nongnu.org/projects/mescc-tools
[11] https://github.com/schemeway/lalr-scm
[12] https://www.cs.indiana.edu/chezscheme/syntax-case/old-psyntax.html
[13] https://www.nongnu.org/nyacc
[14] https://gitlab.com/janneke/tinycc
[15] http://www.softwarepreservation.org/projects/LISP/book/LISP%201.5%20Programmers%20Manual.pdf
[16] https://savannah.nongnu.org/projects/stage0
--
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond https://lilypond.org
Freelance IT https://JoyOfSource.com | Avatar® https://AvatarAcademy.com
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: GNU Mes 0.24 released
2022-05-02 18:04 GNU Mes 0.24 released Jan Nieuwenhuizen
@ 2022-05-07 22:34 ` Ludovic Courtès
2022-05-07 23:11 ` Larry Doolittle
2022-05-09 0:03 ` Thiago Jung Bauermann
0 siblings, 2 replies; 8+ messages in thread
From: Ludovic Courtès @ 2022-05-07 22:34 UTC (permalink / raw)
To: Jan Nieuwenhuizen; +Cc: guix-devel, rb-general, bootstrappable
Heya,
Jan Nieuwenhuizen <janneke@gnu.org> skribis:
> Mes has now been ported to M2-Planet and can be bootstrapped using
> stage0-posix[0], starting from the 357-byte hex0 binary of the
> bootstrap-seeds[1], as was promised at FOSDEM'21[2].
This is amazing… congrats to you & everyone involved! You made it! :-)
The ability to build literally everything from source, with reproducible
builds, is a game changer IMO when it comes to supply chain security.
The common objection is: “you’re building from source but you’re not
gonna audit all that source code anyway, so why bother?” I think it’s
akin to security by obscurity. That we collectively can and do fiddle
with all this code makes a practical difference; that this is all
transparent means that backdoors become harder to hide.
Supply chain security is a spectrum and I think this achievement changes
what we can expect and demand.
Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: GNU Mes 0.24 released
2022-05-07 22:34 ` Ludovic Courtès
@ 2022-05-07 23:11 ` Larry Doolittle
2022-05-08 13:55 ` Sébastien Lerique
2022-05-09 14:00 ` indieterminacy
2022-05-09 0:03 ` Thiago Jung Bauermann
1 sibling, 2 replies; 8+ messages in thread
From: Larry Doolittle @ 2022-05-07 23:11 UTC (permalink / raw)
To: General discussions about reproducible builds
Cc: Jan Nieuwenhuizen, guix-devel, bootstrappable
Ludovic and friends -
On Sun, May 08, 2022 at 12:34:47AM +0200, Ludovic Courtès wrote:
> Jan Nieuwenhuizen <janneke@gnu.org> skribis:
> > Mes has now been ported to M2-Planet and can be bootstrapped using
> > stage0-posix[0], starting from the 357-byte hex0 binary of the
> > bootstrap-seeds[1], as was promised at FOSDEM'21[2].
> This is amazing… congrats to you & everyone involved! You made it! :-)
+1
> The common objection is: “you’re building from source but you’re not
> gonna audit all that source code anyway, so why bother?” [...]
> Supply chain security is a spectrum and I think this achievement changes
> what we can expect and demand.
I've had this conversation before, any my analogy is to the
three legs of a stool. Bootstrapped toolchains, reproducible builds,
and source-code audits. Each one is arguably useless without the others,
but taken together, you've actually accomplished something meaningful.
Maybe I should also include "cryptographically signed artifact distribution"
on that list.
- Larry
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: GNU Mes 0.24 released
2022-05-07 23:11 ` Larry Doolittle
@ 2022-05-08 13:55 ` Sébastien Lerique
2022-05-08 19:49 ` Larry Doolittle
2022-05-09 14:00 ` indieterminacy
1 sibling, 1 reply; 8+ messages in thread
From: Sébastien Lerique @ 2022-05-08 13:55 UTC (permalink / raw)
To: Larry Doolittle
Cc: General discussions about reproducible builds, Jan Nieuwenhuizen,
bootstrappable, guix-devel
Amazing indeed!
On 07 May 2022 at 16:11, Larry Doolittle <larry@doolittle.boa.org> wrote:
>> The common objection is: “you’re building from source but you’re not
>> gonna audit all that source code anyway, so why bother?” [...]
>> Supply chain security is a spectrum and I think this achievement changes
>> what we can expect and demand.
>
> I've had this conversation before, any my analogy is to the
> three legs of a stool. Bootstrapped toolchains, reproducible builds,
> and source-code audits. Each one is arguably useless without the others,
> but taken together, you've actually accomplished something meaningful.
> Maybe I should also include "cryptographically signed artifact distribution"
> on that list.
>
In a similar line, Bunnie Huang gave an interesting talk about the
hardware trust level a few years ago [0], which led to the Precursor
project [1,2].
Cheers,
Sébastien
[0] https://media.ccc.de/v/36c3-10690-open_source_is_insufficient_to_solve_trust_problems_in_hardware
[1] https://www.crowdsupply.com/sutajio-kosagi/precursor
[2] https://www.bunniestudios.com/blog/?p=5979
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: GNU Mes 0.24 released
2022-05-08 13:55 ` Sébastien Lerique
@ 2022-05-08 19:49 ` Larry Doolittle
0 siblings, 0 replies; 8+ messages in thread
From: Larry Doolittle @ 2022-05-08 19:49 UTC (permalink / raw)
To: Sébastien Lerique
Cc: General discussions about reproducible builds, Jan Nieuwenhuizen,
bootstrappable, guix-devel
Sébastien -
On Sun, May 08, 2022 at 10:55:41PM +0900, Sébastien Lerique wrote:
> In a similar line, Bunnie Huang gave an interesting talk about the
> hardware trust level a few years ago, which led to the Precursor
> project.
Right. We (the world in general, and open-source and security communities
in particular) are lucky to have bunnie out there finding creative ways
to contribute.
I'm really happy to see risc-v in the mes-supported list.
I was at the 5th RISC-V Workshop in 2016, and heard Eric Grosse, then
Google's VP of Security and Privacy, say that a future without risc-v
was too scary to consider.
Obligatory xkcd: Stack https://xkcd.com/2166/
- Larry
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: GNU Mes 0.24 released
2022-05-07 22:34 ` Ludovic Courtès
2022-05-07 23:11 ` Larry Doolittle
@ 2022-05-09 0:03 ` Thiago Jung Bauermann
2022-05-09 20:22 ` Orians, Jeremiah (DTMB)
1 sibling, 1 reply; 8+ messages in thread
From: Thiago Jung Bauermann @ 2022-05-09 0:03 UTC (permalink / raw)
To: Ludovic Courtès
Cc: Jan Nieuwenhuizen, rb-general, bootstrappable, guix-devel
Hello,
Ludovic Courtès <ludo@gnu.org> writes:
> Jan Nieuwenhuizen <janneke@gnu.org> skribis:
>
>> Mes has now been ported to M2-Planet and can be bootstrapped using
>> stage0-posix[0], starting from the 357-byte hex0 binary of the
>> bootstrap-seeds[1], as was promised at FOSDEM'21[2].
>
> This is amazing… congrats to you & everyone involved! You made it! :-)
>
> The ability to build literally everything from source, with reproducible
> builds, is a game changer IMO when it comes to supply chain security.
Indeed, this is awesome!
> The common objection is: “you’re building from source but you’re not
> gonna audit all that source code anyway, so why bother?” I think it’s
> akin to security by obscurity. That we collectively can and do fiddle
> with all this code makes a practical difference; that this is all
> transparent means that backdoors become harder to hide.
I saw a project a while ago with an interesting approach that looks very
interesting for tackling this problem: crowd-sourced, social code
review:
https://github.com/crev-dev/crev
If many people review a piece of code and there's a system to record
those reviews, then it's possible to get a metric that is proportional
to the trustworthiness of said code.
It's a big task, but for unchanging code bases (such as the bootstrap
chain), it's a finite amount of work...
--
Thanks
Thiago
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: GNU Mes 0.24 released
2022-05-07 23:11 ` Larry Doolittle
2022-05-08 13:55 ` Sébastien Lerique
@ 2022-05-09 14:00 ` indieterminacy
1 sibling, 0 replies; 8+ messages in thread
From: indieterminacy @ 2022-05-09 14:00 UTC (permalink / raw)
To: Larry Doolittle
Cc: General discussions about reproducible builds, Jan Nieuwenhuizen,
bootstrappable, guix-devel
Larry Doolittle <larry@doolittle.boa.org> writes:
> Ludovic and friends -
>
> On Sun, May 08, 2022 at 12:34:47AM +0200, Ludovic Courtès wrote:
>> Jan Nieuwenhuizen <janneke@gnu.org> skribis:
>> > Mes has now been ported to M2-Planet and can be bootstrapped using
>> > stage0-posix[0], starting from the 357-byte hex0 binary of the
>> > bootstrap-seeds[1], as was promised at FOSDEM'21[2].
>> This is amazing… congrats to you & everyone involved! You made it! :-)
>
> +1
>
>> The common objection is: “you’re building from source but you’re not
>> gonna audit all that source code anyway, so why bother?” [...]
>> Supply chain security is a spectrum and I think this achievement changes
>> what we can expect and demand.
>
> I've had this conversation before, any my analogy is to the
> three legs of a stool. Bootstrapped toolchains, reproducible builds,
> and source-code audits. Each one is arguably useless without the others,
> but taken together, you've actually accomplished something meaningful.
> Maybe I should also include "cryptographically signed artifact distribution"
> on that list.
>
> - Larry
With works this sturdy then even two tool domains suffice as a fine and
versatile stepladder...
Great job everybody!
- Jonathan
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: GNU Mes 0.24 released
2022-05-09 0:03 ` Thiago Jung Bauermann
@ 2022-05-09 20:22 ` Orians, Jeremiah (DTMB)
0 siblings, 0 replies; 8+ messages in thread
From: Orians, Jeremiah (DTMB) @ 2022-05-09 20:22 UTC (permalink / raw)
To: General discussions about reproducible builds,
Ludovic Courtès
Cc: Thiago Jung Bauermann, guix-devel@gnu.org,
bootstrappable@freelists.org
>> The common objection is: "you're building from source but you're not
>> gonna audit all that source code anyway, so why bother?" I think it's
>> akin to security by obscurity. That we collectively can and do fiddle
>> with all this code makes a practical difference; that this is all
>> transparent means that backdoors become harder to hide.
Well from root binaries to Gnu Mes (along with the extras such as sha256sum, ungz and untar) if printed on single sided paper at size 12 font would be only 171 pages.
So not that hard after all after that you can leverage sha256sums and chains of trust to do the rest
> I saw a project a while ago with an interesting approach that looks very interesting for tackling this problem: crowd-sourced, social code
> review:
> https://github.com/crev-dev/crev
Looks interesting
-Jeremiah
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-05-09 20:22 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-05-02 18:04 GNU Mes 0.24 released Jan Nieuwenhuizen
2022-05-07 22:34 ` Ludovic Courtès
2022-05-07 23:11 ` Larry Doolittle
2022-05-08 13:55 ` Sébastien Lerique
2022-05-08 19:49 ` Larry Doolittle
2022-05-09 14:00 ` indieterminacy
2022-05-09 0:03 ` Thiago Jung Bauermann
2022-05-09 20:22 ` Orians, Jeremiah (DTMB)
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.