top | item 44335406

(no title)

ahahahahah | 8 months ago

Why? Would you compile the compiler from source as well? From what? You need to compile the compiler's compiler from source as well, right? Where does it stop? And why is that location more valid of a decision than the one that doesn't require building the build system from source?

discuss

kokada|8 months ago

Same can be extended for other tools that are generally used in builds like make. I never heard someone say that they need to build make from source so they can build X, unless of course you're using something like Linux From Scratch.

fc417fc802|8 months ago

I build cmake from source but TBF that's because projects sometimes depend on specific version ranges for features that they use (either brand new or recently removed).

LoganDark|8 months ago

You compile the compiler from source, then you use the compiler compiled from source to compile the compiler from source again, and then the compiler that you compiled from source using the compiler compiled from source should be essentially identical to the compiler compiled from source by itself (unless anything like Reflections on Trusting Trust is in play, but then a lot of bets are off).

PhilipRoman|8 months ago

Not really relevant here, but this is actually exactly how it's done in embedded systems like Yocto, everything from gcc, make, etc. is built from source (I believe the host compiler is used in a 3-stage bootstrapping process for gcc).

And in these cases you really see the impact of internal dependencies (building rust/llvm takes around 30-40% of the entire build). The upside is that you can patch and debug absolutely any part of the system.

kosolam|8 months ago

You mean it’s consistent on the machine code level and this allows patching and debugging more easily? Trying to understand..

unknown|8 months ago

[deleted]

dannymi|8 months ago

It stops at GNU Mes and hex0.

Bootstrapping everything is exactly how it's done correctly--and how it's actually done in practice in Guix.

I mean sure if you have a business to run you outsource this part to someone else--but you seem to think it's not done at all.

Supply chain attacks have been happening pretty much non-stop the past years. Think it's a good idea to use binary artifacts you don't know how they were made (and thus what's in them)? Especially for build tools, compilers and interpreters.

>And why is that location more valid of a decision than the one that doesn't require building the build system from source?

Because you only have to review a 250 Byte binary (implementing an assembler) manually. Everything else is indeed built from source, including make, all the way up to Pypy, Go, Java and .NET (and indeed Chromium).

lioeters|8 months ago

I didn't realize until I read this, but all software engineers would benefit from building everything from source at least once as an educational experience.

I've never gone all the way to the bottom, but now that I know it's possible I cannot resist the challenge to try it.

charcircuit|8 months ago

>Because you only have to review a 250 Byte binary

It's dishonest to not mention the millions upon millions of lines of source code you also have to verify to know that dependencies are safe to use. Compiling from source doesn't prevent supply chain attacks from happening.

In my opinion there is more risk in getting a safe Siso binary in going through this whole complicated build everything from scratch process vs Google providing a trusted binary to use since you have to trust more parties to not have been compromised.

omeid2|8 months ago

At least for Linux distros and the likes of Brew, you will need to have Go to have Siso, and so on.