Subj : Re: macOS 26
To   : apam
From : tenser
Date : Sat Sep 27 2025 11:50 am

On 25 Sep 2025 at 11:30p, apam pondered and said...

ap>  >  ap> But really who knows if linus is not an evil hacker in truth
ap>  > putting back  ap> doors in linux.. we know because a) he has a good
ap>  > reputation and b) the  ap> code can be viewed and audited.
ap>  >
ap>  > I don't think anyone's seriously worried about that, specifically.
ap>
ap> No, I don't think so either at least not for the Linux kernel, but
ap> smaller less popular packages maybe.

Oh for sure.  Supply chain attacks are a real concern for a lot of
folks.  Attestation of artifacts (compiled binaries and so on) and
tracking their provenance (that is, being able to definitively track
them back to source code) is a pretty big deal in some circles.

ap> I remember reading an article about
ap> some node-js package the US governement was using written by a russian
ap> developer. It was kind of a silly scare mongering article though.

I remember when the Android security folks were importing Rust into
Google.  They were pretty worried about the binary compilers
distributed by the Rust project; at the time, there was a separate
project called `mrustc` that was sort of a parallel implementation
of the compiler, but written in C++.  It lacked most of the fancy
stuff in the regular compiler (read: it didn't actually implement
the borrow checker) but it was good enough to compile the compiler,
so that you could bootstrap it onto a new platform (which is really
what it was meant for).

Anyway, Google's C++ compilers were pretty well trusted, so they
started with mrustc, and got it to build a recent-ish, but older Rust
compiler, then they used _that_ to roll forward Rust point releases
until a) they were at the current stable version, and b) the compilers
that process generated were bit-for-bit identical with the binaries
from the Rust foundation.  At that point they could say, "we're using
the stable Rust compiler, as distributed by the project" and _also_
show provenance tracking the whole toolchain back to a trusted root
compiler.  It was pretty nifty.

I was the one who initially imported the Rust toolchain into the main
Google monorepo back in 2018 or so.  I just pulled the binaries from
`rustup`, but as things started getting serious with Rust inside of
Google, there was a lot of talk about importing what the Android folks
had done (Android, as an open source project, lives outside of the
monorepo).  I don't know what they've done recently, since I left in
2021.

--- Mystic BBS v1.12 A48 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.