The guys deterministically bootstrapping a simple compiler from a few hundred bytes, which then deterministically compiles a more powerful compiler and so on are on to something.
In the end we need fully deterministic, 100% verifiable, chains. From the tiny boostrapped beginning, to the final thing.
There are people working on these things. Both, in a way, "top-down" (bootstrapping a tiny compiler from a few hundred bytes) and "bottom-up" (a distro like Debian having 93% of all its packages being fully reproducible).
While most people are happy saying "there's nothing wrong with piping curl to bash", there are others that do understand what trusting trust is.
As a sidenote although not a kernel backdoor, Jia Tan's XZ backdoor in that rube-goldberg systemd "we modify your SSHD because we're systemd and so now SSHD's attack surface is immensely bigger" was a wake-up call.
And, sadly and scarily, that's only for one we know about.
I think we'll see much more of these cascading supply chains attack. I also think that, in the end, more people are going to realize that there are better ways to both design, build and ship software.
> If you don't what's the point of checking only the install script?
The .tar.gz can be checksummed and saved (to be sure later on that you install the same .tar.gz and to be sure it's still got the same checksum). Piping to Bash in one go not so much. Once you intercept the .tar.gz, you can both reproduce the exploit if there's any (it's too late for the exploit to hide: you've got the .tar.gz and you may have saved it already to an append-only system, for example) and you can verify the checksum of the .tar.gz with other people.
The point of doing all these verifications is not only to not get an exploit: it's also to be able to reproduce an exploit if there's one.
There's a reason, say, packages in Debian are nearly all both reproducible and signed.
And there's a reason they're not shipped with piping to bash.
Other projects shall offer an install script that downloads a file but verifies its checksum. That's the case of the Clojure installer for example: if verifies the .jar. Now I know what you're going to say: "but the .jar could be backdoored if the site got hacked, for both the checksum in the script and the .jar could have been modified". Yes. But it's also signed with GPG. And I do religiously verify that the "file inside the script" does have a valid signature when it has one. And if suddenly the signing key changed, this rings alarms bells.
Why settle for the lowest common denominator security-wise? Because Anthropic (I pay my subscription btw) gives a very bad example and relies entirety on the security of its website and pipes to Bash? This is high-level suckage. A company should know better and should sign the files it ships and not encourage lame practices.
Once again: all these projects that suck security-wise are systematically built on the shoulders of giants (like Debian) who know what they're doing and who are taking security seriously.
This "malware exists so piping to bash is cromulent" mindset really needs to die. That mentality is the reason we get major security exploits daily.
> And I do religiously verify that the "file inside the script" does have a valid signature when it has one.
If you want to go down this route, there is no need to reinvent the wheel. You can add custom repositories to apt/..., you only need to do this once and verify the repo key, and then you get this automatic verification and installation infrastructure. Of course, not every project has one.
Europe here. I disagree. Many SMEs are totally happy with Google Workspace and Canva, as GP mentioned. I know people using just that. And they don't understand why there are people suffering from the Microsoft-Stockholm syndrome.
The market may not yet be 365-sized but as GP mentioned: it's there.
And there are young people arriving at an age to open a business who have never used a Windows computer in their entire life. To them Microsoft is the company that make the virus-infested, slow, computers full of ads they see at their grandparents' house. That cohort ain't buying Windows / buying Office / using Azure.
And burntsushi is one of us: he's regularly here on HN. Big thanks to him. As soon as rg came out I was building it on Linux. Now it ships stocks with Debian (since Bookworm? Don't remember): thanks, thanks and more thanks.
> Next I'm going to set it loose on 263 GB database of every stock quote and options trade in the past 4 years.
Options quotes alone for US equities (or things that trades as such, like ADS/ADR) represent 40 Gbit per second during options trading hours. There are more than 60 million trades (not quotes, only trades) per day. As the stock market is opened approx 250 days per year (a bit more), that's more than 60 billion actual options trades in 4 years. If we're talking about quotation for options, you can add several orders of magnitude to these numbers.
And I only mentioned options. How do you store "every stock quote and options trade in the past 4 years" in 263 GB!?
I see, I said "stock quote" instead of "minute aggregates". You are correct that data set is much larger and at ~1.5TB a year [0] I did not download 6TB of data onto my laptop. Every settled trade options or stocks isn't that big.
Thirding it except I do it from Emacs. Three side-by-side pane with left / common ancestor / right and then below the merge result. By default it's not like that but then it's Emacs so anything is doable. I hacked some elisp code a great many years ago and I've been using it ever since.
No matter the tool, merges should always be presented like that. It's the only presentation that makes sense.
The extensibility provided with Emacs Lisp has been helpful for hacking together my own Git/Jujutsu plugin. I tried to model it over lazygit/lazyjj although magit has been incredible to use and hard to depart from.
I think you need to enable 3 way merge by default in git's configuration, and both smerge (minor mode for solving conflicts) and ediff (major mode that encompass diff and patch) will pick it up. In the case of the latter you will have 4 panes, one for version A, another for version B, a third for the result C, and the last is the common ancestor of A and B.
Addendum:
I've since long disabled it. A and B changes are enough for me, especially as I rebase instead of merging.
> Since virtualization is hardware assisted these days
I was running Xen with full-hardware virtualization on consumer hardware in... 2006. I mean: some of us here were running hardware virt before some of the commenters were born. Just to put the "these days" into perspective in case some would be thinking it's a new thing.
> Or machine gun defence when you're protecting tens of thousands of Iranians from the Islamist regime.
I agree with you. Also one where you try to prevent olympic athletes from being publicly hanged by islamists.
Or when you try to detect lies from the islamist republic of Iran: for example when they said they didn't have long range missiles and they now just tried to attack targets 2000 km away. The intel was right after all.
But there's an issue in the west: some people hate free people and their own west so much that they prefer to side with islamists, with Hamas, with people chanting "from the river to the sea", that they'll only half-condemn Oct 7th saying it's "resistance", that they'll refuse to see when groups of people refuse to integrate into the US, that they'll never condemn a mayor of major US city saying "it's now time for US citizens to follow the teachings of prophet muhammad", etc.
And don't get me started on those saying the islamist veil is "empowering" for women and a sign of "tolerance". Moreover it's coming from those who happen to on the same side that constantly criticizes "toxic masculinity". But criticizing the most patriarchal culture and religion of them all? "Won't hear / Won't see / Won't talk".
It's never-ending. Their hatred for half of the people in their own country make them side and root for absolute evil.
To me there's a word for such people: they're traitors. Plain and simple. And they're definitely my ennemies.
I cannot be friend with someone condemning a US missile landing on a school but not condemning islamists killing 30 000+ of their own people and publicly hanging olympic athletes.
Plain and simple. And they're the ones who should look deep down in their soul to see how dark it is, not me.
https://en.wikipedia.org/wiki/Cornell_box
And next to it was a super beefy computer doing a 3D rendering of a similar scene.
35 years+ later I've got "many spheres in a Cornell box" rendering in my browser, love it : )
reply