View all news

Reproducible bootstrap of Mes C compiler

Dec 21, 2019

During the Reproducible Builds Summit in Marrakesh, three distributions (GNU Guix, Nix and Debian) were able to produce a bit-for-bit identical binary when building GNU Mes, despite using three different major versions of GCC to build the initial Mes compiler, which was then used to build the bit-for-bit identical Mes binary. Since the summit, additional work resulted in a bit-for-bit identical Mes binary using tcc.

At a previous Reproducible Builds Summit people implemented a proof of concept build of TinyCC, using multiple different compiler implementations, though notably GNU Mes is used by GNU Guix to bootstrap a complete software distribution from a minimal set of binary seeds. These accomplishments are early steps towards demonstrating the viability to use Diverse Double-Compiling techniques in the real world to counter Trusting Trust attacks.

Future plans include attempting to bootstrap Mes with an even more diverse set of compilers such as Clang and Microsoft’s C compiler, aiming for a proper real-world demonstration of Diverse Double-Compiling.

The Mes binary produced as a result of this work is available in GNU Guix as the mes-rb5 package, and in the Debian i386 mes 0.21-3 version as the mes-boot0-static binary. And… the moment you’ve all been waiting for, the SHA-256 checksum of this version is:

9e0bcb1633c58e7bc415f6ea27cee7951d6b0658e13cdc147e992b31a14625fb

Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches welcome via our Git repository (instructions) or via our mailing list. • Full contact info