On Wed, Mar 03, 2021 at 05:42:36PM -0800, David Christensen wrote:
[...]
> So, you designed, built, and programmed your "single other machine"
> using machines that you designed, built [...]
This is disingenuous.
The whole game is about trust. I trust gcc more than I trust MSVC.
That may be a good bet or a bad bet, as trust always is. I trust
Debian more than I trust, let's say, Salesforce.
I trust Debian: do you think I can vet the ~2070 packages that are
currently installed on my personal box?
Thompson's "on trusting trust" is just a bad joke when put in that
perspective.
I am well aware of the importance of Thompson's paper, mind you. It
was seminal in showing the importance of the build chain. NixOS and
Guix wouldn't be without that perspective. It has been demonstrated
practically a couple of times since then (MSVC, npm, etc.).
The one aspect missing is, though, the "social" aspect: the software
endeavour has become so devilishly complex that the idea of One
Person (TM) checking everything down to some hypothetical "Trust
Roots" is... theoretical, to state it politely. You gotta delegate
some trust (well, most of it, actually).
And oh, do you a favour and dare a step forward from the 1984s.
Read David A. Wheeler's work [1] and put yourself in the 2010s :-)
Back to the topic: I do trust my ISP significantly less than I do
OpenWRT. Therefore there is something between their provided router
and my home network.
Cheers
[1] https://dwheeler.com/trusting-trust/
https://arxiv.org/abs/1004.5534
- t
Attachment:
signature.asc
Description: Digital signature