> Even when source is available, as in open source operating systems like Linux, approximately no one checks that the distributed binaries match the source code.
This was not the case in 2023 for Arch Linux[1] back when the post was originally published, and is also not the case for Debian[2] since 2024.
My team and I built stagex as the first software build toolchain that internally mandates 100% determinism and full source bootstrapping. It is explicitly designed for supply chain security to trust no single human or computer.
Also container native and soon to be LLVM native.
It is our best answer so far to the ROTT paper.
See also the Bootstrappable Builds website/community.
Also the wider reproducible builds website/community https://reproducible-builds.org/
Also live-bootstrap, stage0, mrustc, mes, and so many amazing projects whose combined efforts all helped finally make probably trustworthy toolchains a thing.
Very few OS distros have adopted Bootstrappable Builds unfortunately.
Only stagex and Nix/Guix that I am aware of.
(2023)
Discussion at the time: https://news.ycombinator.com/item?id=38020792
Reflections on Trusting "Reflections on Trusting Trust"?
How real is this specific case of supply chain attack? Are there any known cases of this specific attack?
At least strong evidence it happened once: https://niconiconi.neocities.org/posts/ken-thompson-really-d...
With careful planning though, with the ability to rootkit any linux kernel it compiles that in turn hot-patches any gcc compilations and so on, with the ability to re-route system calls to hide itself... it could be very very hard to detect.
Even moreso if such was deployed in a couple target CI/CD systems.
bootstrappable builds are the only path to prove such an attack did not happen.
Would be fun to see if an llm could produce this (assuming tfa and other solutions weren't present in the training data).
- [deleted]
[flagged]