
Guix Reduces Bootstrap Seed by Half - stargrave
https://guix.gnu.org/blog/2019/guix-reduces-bootstrap-seed-by-50/
======
reacweb
I do not understand. When I have started on linux, 25 floppies were enough for
a full installation (including latex and X) on my big HD (120MB). How a
striped down version of bash, coreutils&co and guile could require 120MB ?

~~~
sideeffffect
I suspect that the big part of that 120MB is bootstrap-guile (Guile is a
Scheme implementation)

if you want to go really minimalistic, see stage0, it's like 500 Bytes

[https://github.com/oriansj/stage0](https://github.com/oriansj/stage0)

details are in the article

~~~
bArray
Can you elaborate on what stage0 does? I'm not sure I understand what it means
by "bootstrap".

~~~
markjenkinswpg
Stage0's binary seed is a monitor, a program that lets you twiddle data in hex
into memory addresses (in hex).

Code injected into the monitor can do the next best thing, a similar program
that loads text files with hex into binaries and skips ends of lines after a
comment marker starts.

As such, the initial stuff in the stage0 project is further programs that are
still in my view blobs, but instead of binary blobs they're plain text hex
blobs with comments documenting the assembler equivalent and what's going on.

From there there are iterations of having hex files (hex 1 and hex2) with
increasing complexity of symbol tables so references can be made to addresses
and relative jumps by symbols.

From there stage0 project makes the leap to "stage1" and there are things like
basic editors, file concatenation tools, macro based assembler and so . It all
ends with a C-subset (M2-planet) compiler written in assembler.

Work is in progress to rewrite the scheme interpreter mes in M2-planet instead
of normal C. The c compiler mescc (written in scheme) can build tcc and onward
to gcc.

There's bootstraps along these lines for a fantasy machine called knight and
there's x86 versions and maybe some other archs in the works.

My stalled side project is interpreting the knight stuff in python:
[https://github.com/markjenkins/knightpies](https://github.com/markjenkins/knightpies)

I'm excited by the idea that I could use really old GNU/Linux distro CDs that
I trust with python2.3+ as a bootstrap path and eventually with some other
work even use old power macs with MacOS X that included python2.3+ as another
cool place to bootstrap the free world.

------
yourapostasy
Dayum...just how far do the turtles go? Even when they reach full source
bootstrap, are they ruminating over concerns about the firmware/BIOS? If
_those_ concerns are addressed with an equivalent bootstrap-seeded coreboot,
then are there concerns with the silicon? I never even thought someone was
taking this level of security seriously enough to actually put the effort into
it, but I'm extremely glad to see they are. I can easily see high-security
DevOps builds of secrets management stores driven by such a bootstrapped Guix
to nearly indefinitely satisfy the provenance-type questions from the
regulatory compliance teams I work with.

~~~
z29LiTp5qUC30n
well if you look at #bootstrappable's logs it looks like they are planning on
building custom hardware out of TTL chips to eliminate all
software/bios/firmware from the bootstrap; which when combined with
libresilicon means no place for any attacks to hide.

~~~
nwah1
Unless Dennis Ritchie or Ken Thompson placed a "trusting trust" attack in the
original C compiler, since virtually all modern code was compiled by something
that was once compiled by it.

(Ken Thompson coined the term and knows how to do it.)

~~~
pdw
To counter that, they're working on a bootstrap chain that starts with a tiny
500 byte hex editor and ends with a compiler that can build the GNU toolchain.

------
gglitch
Neat - MES Scheme is apparently named after Alan Kay's description of Lisp as
the Maxwell's equations of software.

[https://gitlab.com/janneke/mes](https://gitlab.com/janneke/mes)

~~~
equalunique
That information is also given on the GNU page:
[https://www.gnu.org/software/mes/](https://www.gnu.org/software/mes/)

------
archi42
So the only trust anchor remaining are the kernel and the hardware. It seems
an attacker has to build a kernel module that detects the bootstrapping
process and injects the (self-replicating!) bad code while building the final
gcc.

I like the work, but I still don't think the kind of attack mitigated here is
practical. OTOH it's nice to have the option (if I was to build/publish my own
distribution I would use this as my trust anchor, plus some ancient hardware
and Linux 2.4 CDs to build my own bootstrap environment; though as a random
guy on the internet I am probably less trustable than e.g. the Debian people).

------
antoineMoPa
Anyone using Guix in production? (Anyone using Guix?)

~~~
uncletaco
Not in "production" but I use it on my personal laptop and desktop. I wanted
to learn a scheme and I figured what better way than to dedicate all of my
home computing time to configuring a system and crying myself to sleep trying
to build firefox on it.

~~~
robto
If you get firefox working, please share your definition on the nonguix[0]
repo. Lack of Firefox is what is currently holding me back from installing
Guix on hardware. I don't know anything about package building, but I'd be
happy to help collaborate if you need it.

[0][https://gitlab.com/nonguix/nonguix](https://gitlab.com/nonguix/nonguix)

~~~
uncletaco
So two things:

1\. I believe icecat is going to update pretty soon to version 68 to track
with the latest esr, so perhaps in a week or so please check the main channel
for an icecat version that _should_ work with most, if not all, up to date
extensions.

2\. If I do get Firefox built and packaged then I’ll be more than happy to add
it to the nonguix channel. Though I’m strongly considering just creating an
unofficial icecat that keeps up with the latest version of Firefox like icecat
on windows does. We’ll see what happens after these tears dry.

Icecat is really just a set of scripts to strip out branding from Firefox and
packages it with gnu shit, though the gnuzilla project provides the esr
version for convenience.

------
xvilka
I wonder if they target RISC-V platform too. Or OpenPOWER (the case of Raptor
Engineering).

~~~
chungy
Seems to be only i686 and x86_64. It's a pretty small project all things
considered, but I'm sure a porting effort would be appreciated.

~~~
tremon
from the article (default blurb added to the end of every blog post):

 _it can be used as a standalone operating system distribution for i686,
x86_64, ARMv7, and AArch64 machines._

~~~
Fnoord
FTA:

> The Guix development branch we just merged introduces a reduced binary seed
> bootstrap for x86_64 and i686

------
atian
Yeah startups are gonna need another way of financing fast if seed amounts
keep going down. If anything the startup age is over on the west coast.

~~~
moomin
When you only read the headline.

------
m4r35n357
Fascinating stuff!

