#trustingtrust — Public Fediverse posts

Interesting tidbit about Rust as used in the Android OS: to prevent the trusting trust attack, and not rely on rust-lang.org build, they bootstrapped rustc 1.19 with mrustc (0.8.0), and then built all following rustc versions with their previous version.

https://cs.android.com/android/platform/superproject/main/+/main:prebuilts/rust/bootstrap/README.md

#RustLang #Android #Toolchains #Bootstrapping #TrustingTrust

@filippo Meanwhile, bootstrapping a current OpenJDK involves compiling multiple ancient packages (each with its own set of outdated dependencies, of course) and then going up all the way from Java 7, version by version.

@stikonas has described this tedious process and developed some ebuilds for Gentoo here: https://git.stikonas.eu/andrius/gentoo-bootstrap

This also applies to Rust in a way, but at least it's not as bad there – not yet, as the old versions might eventually succumb to bitrot, too.

Please, dear programming language community, can we do better at this? For resilience, for reproducibility, for reliability, for portability and for preservation?

#bootstrappablebuilds #bootstrapping #reproduciblebuilds #trustingtrust #gentoo #openjdk #rust