Running the "Reflections on Trusting Trust" Compiler (2023)

https://research.swtch.com/nih

120•naves•2mo ago

Comments

EvanAnderson•2mo ago

(2023)

Discussion at the time: https://news.ycombinator.com/item?id=38020792

riemannzeta•2mo ago

Reflections on Trusting "Reflections on Trusting Trust"?

Y_Y•2mo ago

Would be fun to see if an llm could produce this (assuming tfa and other solutions weren't present in the training data).

kpcyrd•2mo ago

> Even when source is available, as in open source operating systems like Linux, approximately no one checks that the distributed binaries match the source code.

This was not the case in 2023 for Arch Linux[1] back when the post was originally published, and is also not the case for Debian[2] since 2024.

[1]: https://reproducible.archlinux.org/

[2]: https://reproduce.debian.net/

lrvick•2mo ago

My team and I built stagex as the first software build toolchain that internally mandates 100% determinism and full source bootstrapping. It is explicitly designed for supply chain security to trust no single human or computer.

Also container native and soon to be LLVM native.

It is our best answer so far to the ROTT paper.

https://codeberg.org/stagex/stagex

pabs3•2mo ago

See also the Bootstrappable Builds website/community.

https://bootstrappable.org/

lrvick•2mo ago

Also the wider reproducible builds website/community https://reproducible-builds.org/

Also live-bootstrap, stage0, mrustc, mes, and so many amazing projects whose combined efforts all helped finally make probably trustworthy toolchains a thing.

pabs3•2mo ago

Very few OS distros have adopted Bootstrappable Builds unfortunately.

lrvick•2mo ago

Only stagex and Nix/Guix that I am aware of.

Panzerschrek•2mo ago

How real is this specific case of supply chain attack? Are there any known cases of this specific attack?

lrvick•2mo ago

At least strong evidence it happened once: https://niconiconi.neocities.org/posts/ken-thompson-really-d...

With careful planning though, with the ability to rootkit any linux kernel it compiles that in turn hot-patches any gcc compilations and so on, with the ability to re-route system calls to hide itself... it could be very very hard to detect.

Even moreso if such was deployed in a couple target CI/CD systems.

bootstrappable builds are the only path to prove such an attack did not happen.

Microsoft appointed a quality czar. He has no direct reports and no budget

Multi-agent coordination on Claude Code: 8 production pain points and patterns

Washington Post CEO Will Lewis Steps Down After Stormy Tenure

DevXT – Building the Future with AI That Acts

A Minimal OpenClaw Built with the OpenCode SDK

The silent death of Good Code

The Internal Negotiation You Have When Your Heart Rate Gets Uncomfortable

Show HN: Glance – Fast CSV inspection for the terminal (SIMD-accelerated)

Busy for the Next Fifty to Sixty Bud

Imperative

Show HN: I decomposed 87 tasks to find where AI agents structurally collapse

I went back to Linux and it was a mistake

Octrafic – open-source AI-assisted API testing from the CLI

US Accuses China of Secret Nuclear Testing

Peacock. A New Programming Language

A postcard arrived: 'If you're reading this I'm dead, and I really liked you'

What to know about the software selloff

Show HN: Syntux – generative UI for websites, not agents

Microsoft appointed a quality czar. He has no direct reports and no budget

AI overlay that reads anything on your screen (invisible to screen capture)

Show HN: Seafloor, be up and running with OpenClaw in 20 seconds

Tesla turbine-inspired structure generates electricity using compressed air

State Department deleting 17 years of tweets (2009-2025); preservation needed

Learning to code, or building side projects with AI help, this one's for you

Effulgence RPG Engine [video]

Five disciplines discovered the same math independently – none of them knew

We Scanned an AI Assistant for Security Issues: 12,465 Vulnerabilities

Amazon no longer defend cloud customers against video patent infringement claims

Show HN: Medinilla – an OCPP compliant .NET back end (partially done)

How Does AI Distribute the Pie? Large Language Models and the Ultimatum Game

Microsoft appointed a quality czar. He has no direct reports and no budget

Multi-agent coordination on Claude Code: 8 production pain points and patterns

Washington Post CEO Will Lewis Steps Down After Stormy Tenure

DevXT – Building the Future with AI That Acts

A Minimal OpenClaw Built with the OpenCode SDK

The silent death of Good Code

The Internal Negotiation You Have When Your Heart Rate Gets Uncomfortable

Show HN: Glance – Fast CSV inspection for the terminal (SIMD-accelerated)

Busy for the Next Fifty to Sixty Bud

Imperative

Show HN: I decomposed 87 tasks to find where AI agents structurally collapse

I went back to Linux and it was a mistake

Octrafic – open-source AI-assisted API testing from the CLI

US Accuses China of Secret Nuclear Testing

Peacock. A New Programming Language

A postcard arrived: 'If you're reading this I'm dead, and I really liked you'

What to know about the software selloff

Show HN: Syntux – generative UI for websites, not agents

Microsoft appointed a quality czar. He has no direct reports and no budget

AI overlay that reads anything on your screen (invisible to screen capture)

Show HN: Seafloor, be up and running with OpenClaw in 20 seconds

Tesla turbine-inspired structure generates electricity using compressed air

State Department deleting 17 years of tweets (2009-2025); preservation needed

Learning to code, or building side projects with AI help, this one's for you

Effulgence RPG Engine [video]

Five disciplines discovered the same math independently – none of them knew

We Scanned an AI Assistant for Security Issues: 12,465 Vulnerabilities

Amazon no longer defend cloud customers against video patent infringement claims

Show HN: Medinilla – an OCPP compliant .NET back end (partially done)

How Does AI Distribute the Pie? Large Language Models and the Ultimatum Game

Running the "Reflections on Trusting Trust" Compiler (2023)

Comments