alt Hacker NewsThe normalized lack of care about supply chain integrity is going pretty poorly, as any read of recent headlines indicates.
Stagex has a 100% full source bootstrapping, and reproducibility requirement that at least two maintainers must prove and sign for every package.
Stagex is also very heavily used and relied on in high value financial and scientific applications where trusting a binary some internet rando compiled is not even remotely acceptable.
Haskell and Ada are locked out of any high security applications until they are bootstrappable.
Replies
I'm not saying the status quo is good, but it is nontheless the status quo. Just about every machine on the cloud, mobile devices, etc all have non-source binaries somewhere, and besides some niche projects that actually have an assembly half-C compiler bootstrapping another tiny C compiler bootstrapping a real C compiler, this is not feasible for the vast software ecosystem as of today.
I was under the impression that most supply chain attacks target source code, not binaries, especially for large projects like OpenBSD.
Does StageX audit source code to the same extend that OpenBSD does? If not, then how would you compare the downgrade in security due to less code auditing vs the reassurance of reproducible builds?
Or, how would you compare StageX with Gentoo, in which the entire system is installed from source. Sure, you have to trust your initial installer, but how could I get a StageX system setup without first having access to a computer with some software installed? If we're at the point where we're worried that every Haskell program that has ever been compiled is owned, then I wonder why I should trust any software that might install StageX onto my computer, or the underlying hardware for that matter?