From mboxrd@z Thu Jan 1 00:00:00 1970 From: Federico Beffa Subject: Re: How to reduce our vulnerability from self-hosted compilers Date: Fri, 27 Feb 2015 12:25:53 +0100 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60526) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YRJ3O-0006Q4-8f for guix-devel@gnu.org; Fri, 27 Feb 2015 06:25:59 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YRJ3L-0004Oh-0o for guix-devel@gnu.org; Fri, 27 Feb 2015 06:25:58 -0500 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: ludo@gnu.org Cc: Guix-devel ludo@gnu.org (Ludovic Court=C3=A8s) writes: > It think it=E2=80=99s a good idea, but I wonder if it is generally applic= able. > > For instance, ISTR that GHC can be built with a couple of older versions > whereas MIT Scheme may well require itself. What exactly is possible is > not always well-documented and sometimes only known to few people. For GHC (at least currently) it is well documented, see https://ghc.haskell.org/trac/ghc/wiki/Building/Preparation/Tools In principle I agree with Mark's suggestion. However, I have a couple of comments. My intention was to build GHC and get rid of the required GHC bootstrap binary from GUIX altogether. With the current patch the store doesn't need to include the bootstrap binaries which, when uncompressed, requires 940MB! The compressed bootstrap binary archive is "only" 68MB. (I'm thinking about download time here. But maybe we could force a local "build" as discussed for TeXLive.) The other point is: given that we know the hash of the tar file, if somebody manages to hack them, we will detect it. Regards, Fede