RISC-V bootstrapping effort
Are you passionate about ensuring trust and security in the software you use?
Ever worried about whether the software you download truly matches its source code?
If so, you’re in for a treat!
Meet the “RISC-V bootstrapping effort,” an ambitious project led by Ekaitz Zarraga, a seasoned freelance engineer from the Basque Country. With over a decade of experience in free software, Ekaitz is dedicated to tackling one of the internet’s most significant issues: trust in the software supply chain.
Learn how Ekaitz, with the support of NGI Assure, is working to create a system that ensures software authenticity without relying on third parties.
This project enhances security by focusing on a full-source bootstrap chain for GNU Guix and extends these benefits to the RISC-V architecture.
Are you curious about how this effort could revolutionize your software experience?
Welcome to the world of secure computing!✨
Can you introduce yourself and your project?
I’m Ekaitz Zarraga, a freelance engineer in the Basque Country. I’ve always been an enthusiast for free software and have participated in many free software projects since I started programming professionally ten years ago.
I’m working on the “RISC-V bootstrapping effort” for GNU Guix. I’ve been working on this project for two years already, first alone, filling some gaps we had, and now in collaboration with several people from related projects, trying to achieve a full-source bootstrap chain finally.
What are the key issues you see with the state of the internet today?
There are many problems to choose from, but it’s not a surprise that trust is one of the biggest problems on the internet. In our case, we focus on trust in the software supply chain, a very overlooked issue.
We already have free software, and we love it, but we cannot make sure that the artifacts (pre-built programs or even pre-processed sources) we can find on the internet exactly match the source code they are supposed to come from.
???? This is a huge source of security issues ????
Proof of that is the recent XZ package drama and the many issues that happened but weren’t as famous as that one.
Our focus is to provide a system that can be independent of package maintainers to ensure that everything is what it’s supposed to be, meaning the source code matches the artifact we obtained from the internet.
What do you like most about (working on) your project?
This is an exciting project where we must deal with many low-level programming details: compilers, assemblers, architectures, standard libraries, and hundreds of implementation details.
Also, this last year, I’ve been working in collaboration with other people, mostly Andrius Štikonas, who is working on the “Full-source bootstrap” for Live-Bootstrap and has a key role in Stage0-Posix, and Janneke Nieuwenhuizen, the GNU Mes author and maintainer, but also with others.
✨Collaboration is a great way to keep motivation and learn, which is very important in a project requiring attention to detail and low-level knowledge✨
Lastly, I should mention the freedom this project has given me.
I can organize my time freely, and the project is goal-oriented so that I can focus on the essential things: providing something to humanity rather than sitting on a chair for eight hours a day.
Where will you take your project next?
We are providing this “Full-source bootstrap” system for GNU Guix and Live-Bootstrap (thanks to Andrius), where the users will be able to install their distributions from source, without having to trust any third parties, also in RISC-V machines.
How did NGI Assure help you reach your goals for your project?
The “Full-source bootstrap” is an immense effort as it requires many small details to work perfectly, and many new projects need to be developed to fill all the gaps.
Working on a new architecture like RISC-V makes the process even more challenging. Many projects already working in other architectures are unavailable for RISC-V, and we need to find alternatives or port them to RISC-V.
With NGI funds, we have been able to fund several efforts in this direction for several years until we finally reached a “Full-source bootstrap” for x86 and now for RISC-V.
???? GNU Mes is one of the key projects of the bootstrapping effort. It has been funded by NGI (Zero and Assure) in the past, and
thanks to that, we can ask Janneke, the author and maintainer, to help us reach our shared goals.
???? Stage0-posix is the other key project of the bootstrapping effort. With the NGI funding, we can fund Andrius to continue to
work on it and improve Live-bootstrap, giving us a new setup to test our bootstrapping system.
???? GNU Guix provides a reproducible setup and a powerful package system that helps us develop our bootstrapping effort.
Several GNU Guix-related projects have been funded by NGI.
???? My previous backporting effort has been also funded by NGI Assure, and that opened the door to the current project.
✨This was possible with the current and previous NGI funding for this project and the adjacent ones.✨
This long-term investment allows us to protect the users in a way that is impossible to keep up with in our free time without funds. Because the project is so complex, we have to be able to focus 100% on it and combine the expertise of several people.
Do you have advice for people who are considering applying for NGI funding?
Yes! Just try. If your idea is good, and you are helping people, I think the proposal is worth the effort.
My first proposal was rejected, but I tried again, being more careful with the project’s scope, and it was accepted. Don’t give up. In my experience, realistic projects that are practical and have a good plan are more likely to be funded.
My advice is to be as specific as possible (sometimes the projects don’t help with that) and don’t give up too early. Also, the projects are long and sometimes can be slightly overwhelming.
Trying to do what your heart tells you helps to keep the motivation in hard times????
Do you have any recommendations to improve future NGI programmes or the wider NGI initiative?
It’s probably already being done, but I think a good balance between short-term and long-term projects is vital.
Real changes cannot be made without long-term projects, and without short-term projects, everyday needs take a long time to solve. Keeping a good balance between both is hard, but I think that is the best way to contribute to a better society.
I’d also like to focus more on the independent programmers working in their free time to improve our computing and society, thanklessly, with no funds. I think their work should be appreciated more, and they deserve more funding as they are vital parts of the ecosystem from which companies and individuals benefit.
I strongly believe that programs like this can change lives, help people focus more on their passions, and help them be more effective in their goals of improving society.
Other programs spotlight the private sector with the excuse of pushing innovation, but I think the focus should be on those who build things for everyone and whose goals are to improve everyone’s lives. I gave a talk about this issue in FOSDEM 2023, that introduces the problem, and another one in 2024 updating in the status of the project.
I gave a talk about this issue in FOSDEM 2023, that introduces the problem, and another one in 2024 updating in the status of the project.
