That's no different from how NixOS does it. You are still comparing hashes from the first build done by the distribution. A more pure approach would be to use the source code files (simple sha256sum will suffice) as the first independent variable in the chain of trust.
I'm not sure what you mean. It's your machine that calculates the hashes when it encounters the code.
If you bulld the directed graph made by the symlinks in the nix store, and walk it backwards, a sha256 of the source files is what you'll find, both in the form of a nix store path and possibly in a derivation that relies on a remote resource but provides a hash of that resource so we can know it's unchanged when downloaded later.
The missing piece is that they're not gossipped between users. So if I find some code in a dark alley somewhere and it has a nix flake to make building it easy, I've got no way to take the hashes and determine who else has experience with the same code and can help me decide if it's trustworthy.
If your builder is compromised, it can be co-opted to sign and verify the "source code" files with any values. The risk of placing this trust in the builder or the nix store is an easy one to avoid. Getting the authencity of the code from the source code independently ought to be the correct way of verifying reproducible builds.
You mean like, as a signature made by the code's author?
Hmm that feels a bit too much like a root of trust, those make me uncomfortable. I'm more interested in tooling for gathering metadata re: the trustworthiness of some code without the author's participation. If the author wants to be involved, all the better.
The code author could make a signature on every release which would be the strongest guarantee of authenticity. But at a rudimentary level, we could have code hosting repositories simply publish/advertise the sha256 values of the hosted code files.
The root of trust has to lay at the source code origin for a pure implementation of reproducible builds and for the security reasons I mentioned earlier.
In general it doesn't help much IMO to have distributions take a silo view of the problem. But those are just my ideas and thoughts on the matter.
Musk's offer to buy OpenAI has put Sam in a corner. Given that Softbank recently made a similar offer of $40B, it would be idiotic of OpenAI's board to pass on Elon's offer which is more than double what Softbank offered.
If it was Musk's plan to look foolish and petulant by being forced to buy a company for what he said he would buy it for after briefly trying to pull out of a deal, he succeeded wildly.
But there is no apparent benefit to this: He paid what he had already guaranteed he would pay and received what he at various (but not all) times said he wanted to buy, just with extra steps that made him look worse.
The choice is not between that. It's between which of the two businesses can deliver outsized growth & returns back to the investor in their time horizon.
Capitalism is bad because Elon won the game. Never mind that Sam Altman is a board member of the same non-profit he is trying to sell to himself for pennies.
His SaaS solves a problem for a very specific industry that's quite small (his market research yielded about 6000 customers) so it's a small, niche industry where a lot of the small business proprietors know each other through a trade group and more or less have the same problem: the alternative solutions currently in the market are expensive, entrenched, legacy providers that operate through a POS while his solution is web-based and costs less.
I find it is good for many things. A time-saver & productivity booster for domain that's already known aka problems that have already been solved.
For new stuff or stuff not in the public domain like that it is completely worthless. I also have to keep second guessing the results. Fortunate enough quality testing a bunch of code on a carousel to "good enough" status has never been easier.
Seems like the policies used by the Chinese government for decade are becoming more internationally popular (for better or for worse..).
I can’t really feel bad about when it’s the same deal they offer Western companies. Well.. to be fair Google or FB couldn’t even get anywhere close to where TikTok is.
You are basically saying American adults are impressionable children hence cannot be trusted to participate in elections held by US electoral institutions.
And you are basically saying that despite decades of focused high-stakes research into the matter, propaganda doesn't work at all on the masses, and that algorithmic manipulation of people is simply impossible? How could anyone take that idea seriously.. global advertising spend is approaching like a trillion dollars every year.
Why not call for the dismantling of the global advertising networks in the US rather than Tiktok since you think it is a giant propaganda machine?
Saying a foreign nation has the capability to brainwash your citizens into making a vote is propaganda by itself. It's not only cheap and imbecilic, it's a waste of everybody's time.
It’s not cheap, that’s the point.. ads as an industry moves more money every year than the pentagon. That’s a lot of people betting that algorithmic influence campaigns work. Are you saying everyone is wrong about this but you, or is your position is that influence campaigns work for brands but not for nation states? Or nation states would not try? Or what?
I am saying that but would prefer to state it this way:
Individuals are not equipped to recognized and counter the effects of highly sophisticated influence operations run by adversaries with enormous resources.
One time had an AWS customer (Nokia Deepfield) spamming my shadowsocks server logs with unauthenticated attempts. Emailed AWS to curtail the abuse and they sided with their customer ofc.
reply