IRC channel logs

2025-03-09.log

back to list of logs

<evrial>Hi all, I have a serious question: which compilers was built from scratch to be auditable with minimal moving parts, are we in position to build Firefox with them now or no?
<evrial>Or calculate attack surface of supply chain of building Firefox
<janneke>evrial: GNU Guix implemented the full source bootstrap and include Icecate (a free version of Firefox)
<janneke>*includes
<janneke>*Icecat -- /me has problems typing today!
<evrial>but it uses GCC and glibc in the chain?
<evrial>I'm questioning viability of those in future
<janneke>yes, of course; it uses a fully bootstrapped gcc and glibc
<evrial>those are some of the complex parts of the chain
<janneke>sure, blindly trusting a binary gcc is much less complex
<evrial>but building those takes many stages of previous versions?
<evrial>so the attack surface sums up
<janneke>yes, and no
<janneke>icecat built in guix with gcc-14 is pretty much comparable with icecat built in, say, debian with gcc-14
<janneke>gcc-14 still passed all its tests
<janneke>the difference being that you can *inspect* all source that was used to build guix's gcc-14
<evrial>yes that's what I care, inspection and redundant moving parts
<janneke>whereas (say) debian's gcc-14 was built using a non-inspectable binary
<janneke>you choose, have the possiblily to inspect, or not have it
<janneke>debian's gcc-14 *also* has history of being built with previous versions
<evrial>yes sure that's better than nothing, but you have to inspect more than single version of compiler
<evrial>that's why I'm questioning it's future
<janneke>to assume that guix's gcc-14 has a "larger attack surface" than debian's is ridiculous
<janneke>right, if your'e saying: we as a bootstrappable community have more work to do, then: agreed
<janneke>we just like to prioritize our work :)
<evrial>absolutely. I only care about bare minimum of moving parts and simplicity of audit
<evrial>but complier devs think other way
<janneke>yeah
<matrix_bridge><Andrius Štikonas> cosinusoidally: I've just restarted the bridge, hopefullyl it is back
<matrix_bridge><cosinusoidally> thanks
<stikonas>gtker: I think that initialization lists PR would fail on RISC-V..