Subj : Re: macOS 26 To : apam From : tenser Date : Sat Sep 27 2025 11:50 am On 25 Sep 2025 at 11:30p, apam pondered and said... ap> > ap> But really who knows if linus is not an evil hacker in truth ap> > putting back ap> doors in linux.. we know because a) he has a good ap> > reputation and b) the ap> code can be viewed and audited. ap> > ap> > I don't think anyone's seriously worried about that, specifically. ap> ap> No, I don't think so either at least not for the Linux kernel, but ap> smaller less popular packages maybe. Oh for sure. Supply chain attacks are a real concern for a lot of folks. Attestation of artifacts (compiled binaries and so on) and tracking their provenance (that is, being able to definitively track them back to source code) is a pretty big deal in some circles. ap> I remember reading an article about ap> some node-js package the US governement was using written by a russian ap> developer. It was kind of a silly scare mongering article though. I remember when the Android security folks were importing Rust into Google. They were pretty worried about the binary compilers distributed by the Rust project; at the time, there was a separate project called `mrustc` that was sort of a parallel implementation of the compiler, but written in C++. It lacked most of the fancy stuff in the regular compiler (read: it didn't actually implement the borrow checker) but it was good enough to compile the compiler, so that you could bootstrap it onto a new platform (which is really what it was meant for). Anyway, Google's C++ compilers were pretty well trusted, so they started with mrustc, and got it to build a recent-ish, but older Rust compiler, then they used _that_ to roll forward Rust point releases until a) they were at the current stable version, and b) the compilers that process generated were bit-for-bit identical with the binaries from the Rust foundation. At that point they could say, "we're using the stable Rust compiler, as distributed by the project" and _also_ show provenance tracking the whole toolchain back to a trusted root compiler. It was pretty nifty. I was the one who initially imported the Rust toolchain into the main Google monorepo back in 2018 or so. I just pulled the binaries from `rustup`, but as things started getting serious with Rust inside of Google, there was a lot of talk about importing what the Android folks had done (Android, as an open source project, lives outside of the monorepo). I don't know what they've done recently, since I left in 2021. --- Mystic BBS v1.12 A48 (Linux/64) * Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101) .