From 23e0f39506516476f4890e6e5397485bfae7d602 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Tue, 12 Nov 2024 23:49:30 +0200 Subject: [PATCH] zig bootstrap: some updates --- .../2024/zig-reproduced-without-binaries.md | 48 ++++++++++++------- 1 file changed, 32 insertions(+), 16 deletions(-) diff --git a/content/log/2024/zig-reproduced-without-binaries.md b/content/log/2024/zig-reproduced-without-binaries.md index 5782726..9fcaf23 100644 --- a/content/log/2024/zig-reproduced-without-binaries.md +++ b/content/log/2024/zig-reproduced-without-binaries.md @@ -7,13 +7,10 @@ draft: true I decided to bootstrap zig without using binaries that are [checked in the repository](https://github.com/ziglang/zig/blob/0.13.0/stage1/zig1.wasm) and -see if the resulting `zig1.wasm` in the latest zig release (0.13.0) is the same -the one bootstrapped without those binaries. +answer if the resulting `zig1.wasm` in the latest zig release (0.13.0) is the +same the one bootstrapped without those binaries. -TLDR: `zig1.wasm` of the official 0.13.0 and our-hard-bootstrapped one are the -same. Whoof, Zig is clean from [this famous attack vector][2], or at least -there is nothing hiding in `zig1.wasm` that hasn't been in the checked-in -sources: +TLDR: yes, they are the same: ``` $ sha256sum code/zig{,2}/stage1/zig1.wasm @@ -21,8 +18,12 @@ $ sha256sum code/zig{,2}/stage1/zig1.wasm 127909fb8c9610ce3f296d8a48014546c0f85055115002fb3aba4d865dcdbb27 code/zig2/stage1/zig1.wasm ``` +I can now confidently say (and you can also check, you don't need to [trust +me][2]) that there is nothing hiding in `zig1.wasm` that hasn't been +checked-in. + Many, many thanks to [Hilton Chain][1] for reasons I that will become clear -later. +later. The rest of this post walks through how I arrived to this claim. # Official zig1.wasm @@ -98,7 +99,7 @@ compiler. Andrew suggests a motivated third-party to implement a [Zig interpreter][zig-interpreter] in non-zig that could break this chain. While -that would be certainly be ideal, but nobody has built it yet 🤷. +that would be certainly be ideal, nobody has built it yet 🤷. The steps to build "trusted"[^3] zig are roughly: @@ -115,14 +116,29 @@ work on bootstrapping Zig!`, where they took my PoC, [re-created all of it in Guix DSL][6] and ran all the way to 0.13.0[^2]. This made me flabbergasted. I audited their script to see if it really deletes `zig1.wasm` at every -checkout, ran it to produce `zig1.wasm` of `0.13.0` myself. Once I had -`zig1.wasm` of 0.13.0, I did the same as I did in the official `zig1.wasm`: -built zig3, used it to build `zig1.wasm`, and voilà, the hashes of the official -`zig1.wasm` and the one built by myself and Hilton match. +checkout, ran it to produce `zig1.wasm` of `0.13.0` myself: -I am looking forward to Hilton landing his Zig work to Guix, so anyone can -audit the build script and reproduce this exercise by themselves with an -otherwise [bootstrappable][7] system. +``` +$ ./pre-inst-env guix build zig@0.13 +;;; note: source file /home/motiejus/code/guix/gnu/packages/zig.scm +;;; newer than compiled /home/motiejus/code/guix/gnu/packages/zig.go +;;; note: source file /home/motiejus/code/guix/gnu/packages/zig.scm +;;; newer than compiled /nix/store/gp8nnfibhz63f61cxrnjhm4wb2r9np8h-guix-1.4.0/lib/guile/3.0/site-ccache/gnu/packages/zig.go +/gnu/store/mz95707dd7qmycpr1f0ndxhkmx3vdy1c-zig-0.13.0 +/gnu/store/kqwq8sjgwi561sp78vfi6xkgm9i3wysk-zig-0.13.0-zig1 +$ ls -lh /gnu/store/kqwq8sjgwi561sp78vfi6xkgm9i3wysk-zig-0.13.0-zig1/bin/zig1.wasm +-r--r--r-- 5 root root 2.6M Jan 1 1970 /gnu/store/kqwq8sjgwi561sp78vfi6xkgm9i3wysk-zig-0.13.0-zig1/bin/zig1.wasm +``` + +Once I had `zig1.wasm` of 0.13.0, I did the same as I did in the official +`zig1.wasm`: built zig3, used it to build `zig1.wasm`, and voilà, the hashes of +the official `zig1.wasm` and the one built here match. + +# Conclusion + +I am looking forward to Hilton landing this to Guix, so anyone can audit the +build script and reproduce this exercise by themselves with an otherwise +[bootstrappable][7] system. If you don't trust Guix, whom do you trust? If anyone can trace origins of `zig1.wasm` and produce an identical version themselves, perhaps it's not too bad to have it checked in? @@ -134,7 +150,7 @@ themselves, perhaps it's not too bad to have it checked in? title. I will not link it here, as it will be removed when it lands, but it should be easy to find for determined readers before it does. -[^3]: We trust no-one except ourselves. +[^3]: We trust no-one except ourselves and our little machine on our desk. [1]: https://ultrarare.space/ [2]: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf