Running the "Reflections on Trusting Trust" Compiler (2023)

https://research.swtch.com/nih

120•naves•2mo ago

Comments

EvanAnderson•2mo ago

(2023)

Discussion at the time: https://news.ycombinator.com/item?id=38020792

riemannzeta•2mo ago

Reflections on Trusting "Reflections on Trusting Trust"?

Y_Y•2mo ago

Would be fun to see if an llm could produce this (assuming tfa and other solutions weren't present in the training data).

kpcyrd•2mo ago

> Even when source is available, as in open source operating systems like Linux, approximately no one checks that the distributed binaries match the source code.

This was not the case in 2023 for Arch Linux[1] back when the post was originally published, and is also not the case for Debian[2] since 2024.

[1]: https://reproducible.archlinux.org/

[2]: https://reproduce.debian.net/

lrvick•2mo ago

My team and I built stagex as the first software build toolchain that internally mandates 100% determinism and full source bootstrapping. It is explicitly designed for supply chain security to trust no single human or computer.

Also container native and soon to be LLVM native.

It is our best answer so far to the ROTT paper.

https://codeberg.org/stagex/stagex

pabs3•2mo ago

See also the Bootstrappable Builds website/community.

https://bootstrappable.org/

lrvick•2mo ago

Also the wider reproducible builds website/community https://reproducible-builds.org/

Also live-bootstrap, stage0, mrustc, mes, and so many amazing projects whose combined efforts all helped finally make probably trustworthy toolchains a thing.

pabs3•2mo ago

Very few OS distros have adopted Bootstrappable Builds unfortunately.

lrvick•2mo ago

Only stagex and Nix/Guix that I am aware of.

Panzerschrek•2mo ago

How real is this specific case of supply chain attack? Are there any known cases of this specific attack?

lrvick•2mo ago

At least strong evidence it happened once: https://niconiconi.neocities.org/posts/ken-thompson-really-d...

With careful planning though, with the ability to rootkit any linux kernel it compiles that in turn hot-patches any gcc compilations and so on, with the ability to re-route system calls to hide itself... it could be very very hard to detect.

Even moreso if such was deployed in a couple target CI/CD systems.

bootstrappable builds are the only path to prove such an attack did not happen.

NASA now allowing astronauts to bring their smartphones on space missions

Claude Code Is the Inflection Point

MicroClaw – Agentic AI Assistant for Telegram, Built in Rust

Show HN: Omni-BLAS – 4x faster matrix multiplication via Monte Carlo sampling

The AI-Ready Software Developer: Conclusion – Same Game, Different Dice

AI Agent Automates Google Stock Analysis from Financial Reports

Voxtral Realtime 4B Pure C Implementation

I Was Trapped in Chinese Mafia Crypto Slavery [video]

U.S. CBP Reported Employee Arrests (FY2020 – FYTD)

Show HN: I built a free UCP checker – see if AI agents can find your store

Show HN: SVGV – A Real-Time Vector Video Format for Budget Hardware

Study of 150 developers shows AI generated code no harder to maintain long term

Spotify now requires premium accounts for developer mode API access

When Albert Einstein Moved to Princeton

Agents.md as a Dark Signal

System time, clocks, and their syncing in macOS

McCLIM and 7GUIs – Part 1: The Counter

So whats the next word, then? Almost-no-math intro to transformer models

Ed Zitron: The Hater's Guide to Microsoft

UK infants ill after drinking contaminated baby formula of Nestle and Danone

Show HN: Android-based audio player for seniors – Homer Audio Player

Starter Template for Ory Kratos

LLMs are powerful, but enterprises are deterministic by nature

Make your iPad 3 a touchscreen for your computer

Internationalization and Localization in the Age of Agents

Building a Custom Clawdbot Workflow to Automate Website Creation

Why the "Taiwan Dome" won't survive a Chinese attack

Xkcd: Game AIs

Windows 11 is finally killing off legacy printer drivers in 2026

From Offloading to Engagement (Study on Generative AI)

NASA now allowing astronauts to bring their smartphones on space missions

Claude Code Is the Inflection Point

MicroClaw – Agentic AI Assistant for Telegram, Built in Rust

Show HN: Omni-BLAS – 4x faster matrix multiplication via Monte Carlo sampling

The AI-Ready Software Developer: Conclusion – Same Game, Different Dice

AI Agent Automates Google Stock Analysis from Financial Reports

Voxtral Realtime 4B Pure C Implementation

I Was Trapped in Chinese Mafia Crypto Slavery [video]

U.S. CBP Reported Employee Arrests (FY2020 – FYTD)

Show HN: I built a free UCP checker – see if AI agents can find your store

Show HN: SVGV – A Real-Time Vector Video Format for Budget Hardware

Study of 150 developers shows AI generated code no harder to maintain long term

Spotify now requires premium accounts for developer mode API access

When Albert Einstein Moved to Princeton

Agents.md as a Dark Signal

System time, clocks, and their syncing in macOS

McCLIM and 7GUIs – Part 1: The Counter

So whats the next word, then? Almost-no-math intro to transformer models

Ed Zitron: The Hater's Guide to Microsoft

UK infants ill after drinking contaminated baby formula of Nestle and Danone

Show HN: Android-based audio player for seniors – Homer Audio Player

Starter Template for Ory Kratos

LLMs are powerful, but enterprises are deterministic by nature

Make your iPad 3 a touchscreen for your computer

Internationalization and Localization in the Age of Agents

Building a Custom Clawdbot Workflow to Automate Website Creation

Why the "Taiwan Dome" won't survive a Chinese attack

Xkcd: Game AIs

Windows 11 is finally killing off legacy printer drivers in 2026

From Offloading to Engagement (Study on Generative AI)

Running the "Reflections on Trusting Trust" Compiler (2023)

Comments