During the Reproducible Builds Summit in Marrakesh,
three distributions (GNU Guix, Nix
and Debian) were able to produce a bit-for-bit identical
binary when building GNU Mes, despite
using three different major versions of GCC to build the initial Mes compiler,
which was then used to build the bit-for-bit identical Mes binary. Since the
summit, additional work resulted in a bit-for-bit identical Mes binary using
At a previous Reproducible Builds Summit people implemented a proof of concept build of TinyCC, using multiple different compiler implementations, though notably GNU Mes is used by GNU Guix to bootstrap a complete software distribution from a minimal set of binary seeds. These accomplishments are early steps towards demonstrating the viability to use Diverse Double-Compiling techniques in the real world to counter Trusting Trust attacks.
Future plans include attempting to bootstrap Mes with an even more diverse set of compilers such as Clang and Microsoft’s C compiler, aiming for a proper real-world demonstration of Diverse Double-Compiling.
The Mes binary produced as a result of this work is available in GNU Guix as
mes-rb5 package, and in the Debian
0.21-3 version as the
mes-boot0-static binary. And… the moment you’ve all been waiting for, the
SHA-256 checksum of this version is: