| ▲ | lrvick 5 days ago |
| Unfortunately there is still no way to actually bootstrap haskell (or anything based on it) which makes it impossible to put anything written in Haskell near any high trust linux distribution or environment. I guess sandboxing the untrusted binary in a browser is -something- to let people play with haskell in a lower risk way for the moment at least but it is hard to take a language seriously or trust it with no way to bootstrap it from source. |
|
| ▲ | simonmic 5 days ago | parent | next [-] |
| You're speaking of "GHC haskell" there. Yes that is the main stream - and this will get solved there sooner or later - but you can also do a fair amount of Haskell without GHC. Eg MicroHs is getting increasingly capable and I believe is highly bootstrappable. |
| |
| ▲ | lrvick 5 days ago | parent [-] | | TIL MicroHS. Might try packaging this soon if it is in fact bootstrappable and can be deterministically compiled. |
|
|
| ▲ | Ericson2314 5 days ago | parent | prev | next [-] |
| https://discourse.haskell.org/t/what-s-needed-to-bootstrap-g... people have worked replaying the history to bootstrap. |
| |
| ▲ | lrvick 5 days ago | parent [-] | | Looks like a work in progress still, but exciting someone at least put some time into this in the past year. Maybe some day I can have pandoc in security focused linux distributions... | | |
| ▲ | jeremyjh 5 days ago | parent [-] | | This is the same process used to port GHC to new architectures, like ARM. It is not easy to do, I don't know how many people can actually do it. But its possible and has been done multiple times. |
|
|
|
| ▲ | whateveracct 5 days ago | parent | prev | next [-] |
| Between old Hugs and the new MicroHs, I think it's definitely doable with some elbow grease. I just don't know if anyone in the community cares that much about bootstrapping tho. |
| |
| ▲ | zozbot234 5 days ago | parent [-] | | AIUI, the underlying problem is that both Hugs and whatever toy Haskell implementations are available don't support the extensions current versions of GHC require. And no one has done the work to carve out a minimal stage0 compiler out of the GHC codebase that doesn't need those extensions to be built. | | |
| ▲ | hshdhdhehd 5 days ago | parent [-] | | So the problem is we want to use a different language to Haskell. GHC Haskell. |
|
|
|
| ▲ | yukinon 5 days ago | parent | prev | next [-] |
| For someone like me that is less versed in these things, could you explain why bootstrapping a language is a required check for taking a language seriously? My criteria is far less stringent (is it stable? is it popular enough? is the toolchain mature? etc..), so I wonder what I am missing here. |
| |
| ▲ | tennysont 5 days ago | parent | next [-] | | The Haskell compiler creates a slightly different output every time you compile a program[1]. This makes it difficult to ensure that the binary that is free-to-download downloaded is actually malware free. If it were easy to check, then you could rest easy, assuming that someone out there is doing the check for you (and it would be big news if malware was found). If you're a hardened security person, then the conversations continues, and the term "bootstrap" becomes relevant. Since you do not trust compiled binaries, then you can compile programs yourself from the source code (where malware would be noticed). However, in order to compile the Haskell compiler, you must have access to a (recent) version of the Haskell compiler. So, version 10 of the compiler was built using version 9, which was built using version 8, etc. "Bootstrapping" refers (basically) to building version 1. Currently, version 1 was built approximately with smart people, duct tape, and magic. There is no way to build version 1, you must simple download it. So if you have high security requirements, then you might fear that years ago, someone slipped malware into the Haskell compiler version 1 which will "self replicate" itself into every compiler that it builds. Until a few years ago, this was a bit of a silly concern (most software wasn't reproducible) but with the rise of Nix and Guix, we've gotten a lot closer to reproducible-everything, and so Haskell is the odd-one-out. [1]
The term is "deterministic builds" or "reproducible builds". Progress is being made to fix this in Haskell. | | |
| ▲ | romes 5 days ago | parent | next [-] | | From 9.12, -fobject-determinism[1] will guarantee deterministic objects. If it ever doesn't, do open a bug report[2] [1] https://downloads.haskell.org/ghc/latest/docs/users_guide/us...
[2] https://gitlab.haskell.org/ghc/ghc/-/issues | | | |
| ▲ | lrvick 5 days ago | parent | prev [-] | | Unlike Nix and Guix, Stagex goes much further in that it has a 100% mandate on supply chain integrity. It trusts no single maintainer or computer and disallows any binary blobs. It is thus not possible to package any software that cannot be bootstrapped, reproduced, and signed by at least two maintainers. Haskell and Ada are the only languages not possible for us to support, or any software built with them. Everything else is just fine though. I do hope both languages address this though, as it is blocking a lot of important open source software like pandoc or coreboot from being used in security critical environments. | | |
| ▲ | frumplestlatz 5 days ago | parent [-] | | How are you bootstrapping a modern C compiler without an existing C/C++ compiler and linker? | | |
|
| |
| ▲ | Koffiepoeder 5 days ago | parent | prev [-] | | I'm not the OP, but for me their comment sparked an association to the famous Ken Thompson lecture called 'Trusting Trust'. Could be a good starting point. |
|
|
| ▲ | rowanG077 5 days ago | parent | prev | next [-] |
| How is ghc compiled at all without bootstrapping? Or is there a magic binary in tree that is unreproducible? I have compiled ghc a few times and had no problems. |
| |
| ▲ | lrvick 5 days ago | parent | next [-] | | Quite literally all distros today build it by downloading an existing magic binary to compile the latest sources. Even if they claim the package is reproducible, all bets are off on trust if it downloads a prebuilt binary in the build process. It is a prime Trusting Trust attack target. The only other somewhat widely used language I am aware of in this bad of a position is Ada. Every other language I am aware of has a clear bootstrap path. | | |
| ▲ | gf000 5 days ago | parent | next [-] | | Outside some fairly niche projects working on the problem, this is not a priority and most systems have straight binary dependencies. | | |
| ▲ | lrvick 5 days ago | parent [-] | | The normalized lack of care about supply chain integrity is going pretty poorly, as any read of recent headlines indicates. Stagex has a 100% full source bootstrapping, and reproducibility requirement that at least two maintainers must prove and sign for every package. Stagex is also very heavily used and relied on in high value financial and scientific applications where trusting a binary some internet rando compiled is not even remotely acceptable. Haskell and Ada are locked out of any high security applications until they are bootstrappable. | | |
| ▲ | tennysont 4 days ago | parent | next [-] | | I was under the impression that most supply chain attacks target source code, not binaries, especially for large projects like OpenBSD. Does StageX audit source code to the same extend that OpenBSD does? If not, then how would you compare the downgrade in security due to less code auditing vs the reassurance of reproducible builds? Or, how would you compare StageX with Gentoo, in which the entire system is installed from source. Sure, you have to trust your initial installer, but how could I get a StageX system setup without first having access to a computer with some software installed? If we're at the point where we're worried that every Haskell program that has ever been compiled is owned, then I wonder why I should trust any software that might install StageX onto my computer, or the underlying hardware for that matter? | |
| ▲ | gf000 5 days ago | parent | prev [-] | | I'm not saying the status quo is good, but it is nontheless the status quo. Just about every machine on the cloud, mobile devices, etc all have non-source binaries somewhere, and besides some niche projects that actually have an assembly half-C compiler bootstrapping another tiny C compiler bootstrapping a real C compiler, this is not feasible for the vast software ecosystem as of today. | | |
| ▲ | jeremyjh 5 days ago | parent | next [-] | | Most mainstream languages have a fairly straightforward bootstrapping process that doesn't rely on a trusted binary. And yes, most distrubutions ignore that, but nonetheless it is possible to use those languages in a high-sec environment if you put the work in. I'm not sure that I agree that GHC can't be bootstrapped though. There is a process for porting to other architectures; its not an automated process and perhaps no one outside the GHC team can actually do it, but if for some insane reason NSA decided they want to use Haskell I'm not sure that they actually can't, if they put a lot of work in and hire GHC committers with high security clearances. | | |
| ▲ | lrvick 5 days ago | parent [-] | | GHC absolutely could be bootstrapped, but someone versed in that ecosystem would have to put in a lot of work to do it. If they ever do, my team and I will put in the work to package and maintain it in stagex. |
| |
| ▲ | lrvick 5 days ago | parent | prev [-] | | Stagex can already support all of those use cases provided they are not written in Haskell or Ada, and in fact Stagex is already used heavily in production. We bootstrap everything deterministically from 180 bytes of human auditable x86 machine code. Rust, Go, Nodejs, we have you covered with complete full source bootstrapping and multi-party signed reproductions. There is no good excuse for poor supply chain integrity anymore. |
|
|
| |
| ▲ | icrbow 5 days ago | parent | prev | next [-] | | Ada can't bootstrap? Ironic... | | |
| ▲ | lrvick 5 days ago | parent | next [-] | | Yes, and that is a serious security problem because the only way to get trusted PCR values for TPM2 gated secure boot and full disk decryption applications, is with open source full source bootstrapped firmware. Coreboot is the only option, but it has a hard requirement on Ada because that is what they wrote their intel graphics stack in. It is a real mess. | | |
| ▲ | utopiah 5 days ago | parent [-] | | Interesting, any link I could read to understand a bit more the situation? | | |
| ▲ | lrvick 5 days ago | parent [-] | | Here is some background on the Haskell situation: https://www.joachim-breitner.de/blog/802-More_thoughts_on_a_... Ada has had even less progress and I am not aware of any writeups. TL;DR: Ada and Haskell need to have compilers implemented a language that has a full source bootstrap path such as C, Go, or Rust that implement just enough features to compile the official compilers. | | |
| ▲ | elbear 4 days ago | parent [-] | | Just curious, are C, Go and Rust and the only viabile languages for an implementation? |
|
|
| |
| ▲ | leoh 5 days ago | parent | prev [-] | | Sounds like an opportunity to rebuild an ADA interpreter | | |
| ▲ | lrvick 5 days ago | parent [-] | | Yes. Many efforts have started and fizzled out over the years before completion. If you know anyone that takes this on and succeeds I have a 2k cash bounty for them, and we can likely find others. |
|
| |
| ▲ | rowanG077 5 days ago | parent | prev [-] | | I see, yes I most likely used a distro build ghc. |
| |
| ▲ | jdndndnns 5 days ago | parent | prev [-] | | And where did you get the haskel compiler to do so? You seem to be missing the point of bootstrapping | | |
| ▲ | rowanG077 5 days ago | parent [-] | | Maybe that is literally why I asked the question, clearly I don't know as I have not spend the time investigating this problem that the commenter has. Asking some kind of gotcha question is not helpful. |
|
|
|
| ▲ | leoh 5 days ago | parent | prev | next [-] |
| This is wild. I didn’t know this. |
|
| ▲ | liveoneggs 5 days ago | parent | prev [-] |
| doesn't rust have the same problem? I've known this about haskell for ages and I think it's just the new norm ("trust us, bro") |
| |
| ▲ | lrvick 4 days ago | parent [-] | | Not anymore. Real pain in the ass to bootstrap but thanks to mrustc combined with our work in stagex we have an easy to audit path now in a 100% bootstrapped distro. Unfortunately due to no first party support or interest from the Rust team, we have to build through 15+ versions to get to latest and it takes 6+ hours to build with a 20+ core system, but it works. https://codeberg.org/stagex/stagex/src/branch/main/packages/... | | |
|
