fsebugoutzone.org:9999

       Post B2EaimV8aOU8LAqQ9A by stikonas@fosstodon.org
 (DIR) More posts by stikonas@fosstodon.org
 (DIR) Post #B2Eaik5XYaoyrCqwyG by filippo@abyssdomain.expert
       2025-10-27T13:07:40Z
       
       0 likes, 0 repeats
       
       Extremely happy to see https://sourcespotter.com, a Go Checksum Database monitor and Go toolchain reproducer by @agwa.These use the transparency logs we built into the Go supply chain to keep the Google-operated services honest.You can check your local view of the sumdb matches Source Spotter&#39;s with this command:curl --data-binary &quot;@$(go env GOPATH)/pkg/sumdb/sum.golang.org/latest&quot; https://gossip.api.sourcespotter.com/sum.golang.org
       
 (DIR) Post #B2EaikeHTQbuax6h7Y by filippo@abyssdomain.expert
       2025-10-27T13:07:41Z
       
       0 likes, 0 repeats
       
       Also, Go can be bootstrapped on multiple operating systems and architectures, from multiple C compilers, all the way to perfectly reproducible toolchain tarballs, and Source Spotter is automatically checking!
       
 (DIR) Post #B2EailfNgp5Jked5TU by notbobbytables@infosec.exchange
       2025-10-27T21:29:24Z
       
       0 likes, 0 repeats
       
       @filippo Meanwhile, bootstrapping a current OpenJDK involves compiling multiple ancient packages (each with its own set of outdated dependencies, of course) and then going up all the way from Java 7, version by version.@stikonas has described this tedious process and developed some ebuilds for Gentoo here: https://git.stikonas.eu/andrius/gentoo-bootstrapThis also applies to Rust in a way, but at least it&#39;s not as bad there – not yet, as the old versions might eventually succumb to bitrot, too.Please, dear programming language community, can we do better at this? For resilience, for reproducibility, for reliability, for portability and for preservation?#bootstrappablebuilds #bootstrapping #reproduciblebuilds #trustingtrust #gentoo #openjdk #rust
       
 (DIR) Post #B2EaimV8aOU8LAqQ9A by stikonas@fosstodon.org
       2025-10-27T21:40:17Z
       
       0 likes, 0 repeats
       
       @notbobbytables @filippo At least with Rust we have mrustc that is fairy well maintained and gets updated to support newer Rustc versions. And mrustc-&gt;rustc bootstrap was even added to main Gentoo tree. Potentially we&#39;ll have gccrs too in the future.But OpenJDK chain just gets longer and longer. On the other hand Java seems to be slowly disappearing from the desktop...
       
 (DIR) Post #B2EaincGRNmPnZBctU by notbobbytables@infosec.exchange
       2025-10-27T21:52:08Z
       
       0 likes, 0 repeats
       
       @stikonas Yes, mrustc seems to be quite actively maintained, keeping the dependency chain relatively short. Let&#39;s hope it stays that way.
       
 (DIR) Post #B2EaioCQGwhfbi6VFo by civodul@toot.aquilenet.fr
       2026-01-12T21:40:10Z
       
       1 likes, 0 repeats
       
       @notbobbytables The bootstrap chain for Rust is not all that short unfortunately:https://guix.gnu.org/en/blog/2018/bootstrapping-rust/The post is from 2018; mrustc saw improvements in the meantime, but rustc kept moving on…@stikonas