D
Deleted member 76788
Guest
[i'm going to mention linux distros; this is solely to illustrate concepts, not to judge fbsd for not being linux]
There's a Linux distro called Chimera Linux which uses its own build system for the base and packages, called cbuild. It makes a point of absolute hermeticity and hence reproducibility: a full bootstrap runs four full compiles, three of them in a sandbox, which only gets original build artifacts put in it, and which is checked before and after every step for consistency. (I must admit to not understanding all the details.) This strategy was adopted because the author had previously worked on Void Linux, which had a similar system called xbps-src. That system was more careless with environment isolation and hence minute details got tangled up and set in their infrastructure: they're still using a version of buildbot which is over a decade old.
I'm wondering what FreeBSD's hermeticity story looks like? Can it guarantee total independence from the host system? I'm guessing so, given all the headline security features, but I can't find a reference for it.
There's a Linux distro called Chimera Linux which uses its own build system for the base and packages, called cbuild. It makes a point of absolute hermeticity and hence reproducibility: a full bootstrap runs four full compiles, three of them in a sandbox, which only gets original build artifacts put in it, and which is checked before and after every step for consistency. (I must admit to not understanding all the details.) This strategy was adopted because the author had previously worked on Void Linux, which had a similar system called xbps-src. That system was more careless with environment isolation and hence minute details got tangled up and set in their infrastructure: they're still using a version of buildbot which is over a decade old.
I'm wondering what FreeBSD's hermeticity story looks like? Can it guarantee total independence from the host system? I'm guessing so, given all the headline security features, but I can't find a reference for it.