Running the "Reflections on Trusting Trust" Compiler (2023)

https://research.swtch.com/nih

120•naves•2mo ago

Comments

EvanAnderson•2mo ago

(2023)

Discussion at the time: https://news.ycombinator.com/item?id=38020792

riemannzeta•2mo ago

Reflections on Trusting "Reflections on Trusting Trust"?

Y_Y•2mo ago

Would be fun to see if an llm could produce this (assuming tfa and other solutions weren't present in the training data).

kpcyrd•2mo ago

> Even when source is available, as in open source operating systems like Linux, approximately no one checks that the distributed binaries match the source code.

This was not the case in 2023 for Arch Linux[1] back when the post was originally published, and is also not the case for Debian[2] since 2024.

[1]: https://reproducible.archlinux.org/

[2]: https://reproduce.debian.net/

lrvick•2mo ago

My team and I built stagex as the first software build toolchain that internally mandates 100% determinism and full source bootstrapping. It is explicitly designed for supply chain security to trust no single human or computer.

Also container native and soon to be LLVM native.

It is our best answer so far to the ROTT paper.

https://codeberg.org/stagex/stagex

pabs3•2mo ago

See also the Bootstrappable Builds website/community.

https://bootstrappable.org/

lrvick•2mo ago

Also the wider reproducible builds website/community https://reproducible-builds.org/

Also live-bootstrap, stage0, mrustc, mes, and so many amazing projects whose combined efforts all helped finally make probably trustworthy toolchains a thing.

pabs3•2mo ago

Very few OS distros have adopted Bootstrappable Builds unfortunately.

lrvick•2mo ago

Only stagex and Nix/Guix that I am aware of.

Panzerschrek•2mo ago

How real is this specific case of supply chain attack? Are there any known cases of this specific attack?

lrvick•2mo ago

At least strong evidence it happened once: https://niconiconi.neocities.org/posts/ken-thompson-really-d...

With careful planning though, with the ability to rootkit any linux kernel it compiles that in turn hot-patches any gcc compilations and so on, with the ability to re-route system calls to hide itself... it could be very very hard to detect.

Even moreso if such was deployed in a couple target CI/CD systems.

bootstrappable builds are the only path to prove such an attack did not happen.

MyFlames: Visualize MySQL query execution plans as interactive FlameGraphs

Show HN: LLM of Babel

A modern iperf3 alternative with a live TUI, multi-client server, QUIC support

Famfamfam Silk icons – also with CSS spritesheet

Apple is the only Big Tech company whose capex declined last quarter

Reverse-Engineering Raiders of the Lost Ark for the Atari 2600

Show HN: Deterministic NDJSON audit logs – v1.2 update (structural gaps)

The Greater Copenhagen Region could be your friend's next career move

Do Not Confirm – Fiction by OpenClaw

The Analytical Profile of Peas

Hallucinations in GPT5 – Can models say "I don't know" (June 2025)

What AI is good for, according to developers

OpenAI might pivot to the "most addictive digital friend" or face extinction

Show HN: Know how your SaaS is doing in 30 seconds

ClawdBot Ordered Me Lunch

What the News media thinks about your Indian stock investments

Running Lua on a tiny console from 2001

Google and Microsoft Paying Creators $500K+ to Promote AI Tools

New filtration technology could be game-changer in removal of PFAS

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

Kinda Surprised by Seadance2's Moderation

I Write Games in C (yes, C)

Django scales. Stop blaming the framework (part 1 of 3)

Malwarebytes Is Now in ChatGPT

Thoughts on the job market in the age of LLMs

Show HN: Stacky – certain block game clone

AIII: A public benchmark for AI narrative and political independence

SectorC: A C Compiler in 512 bytes

The API Is a Dead End; Machines Need a Labor Economy

Digital Iris [video]

MyFlames: Visualize MySQL query execution plans as interactive FlameGraphs

Show HN: LLM of Babel

A modern iperf3 alternative with a live TUI, multi-client server, QUIC support

Famfamfam Silk icons – also with CSS spritesheet

Apple is the only Big Tech company whose capex declined last quarter

Reverse-Engineering Raiders of the Lost Ark for the Atari 2600

Show HN: Deterministic NDJSON audit logs – v1.2 update (structural gaps)

The Greater Copenhagen Region could be your friend's next career move

Do Not Confirm – Fiction by OpenClaw

The Analytical Profile of Peas

Hallucinations in GPT5 – Can models say "I don't know" (June 2025)

What AI is good for, according to developers

OpenAI might pivot to the "most addictive digital friend" or face extinction

Show HN: Know how your SaaS is doing in 30 seconds

ClawdBot Ordered Me Lunch

What the News media thinks about your Indian stock investments

Running Lua on a tiny console from 2001

Google and Microsoft Paying Creators $500K+ to Promote AI Tools

New filtration technology could be game-changer in removal of PFAS

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

Kinda Surprised by Seadance2's Moderation

I Write Games in C (yes, C)

Django scales. Stop blaming the framework (part 1 of 3)

Malwarebytes Is Now in ChatGPT

Thoughts on the job market in the age of LLMs

Show HN: Stacky – certain block game clone

AIII: A public benchmark for AI narrative and political independence

SectorC: A C Compiler in 512 bytes

The API Is a Dead End; Machines Need a Labor Economy

Digital Iris [video]

Running the "Reflections on Trusting Trust" Compiler (2023)

Comments