Start with stage0 (whose binary seed is about 1 KiB) and GNU Mes. Use mescc to build tinycc, then GCC 2.95, then GCC 4.7, then fairly modern GCC, and then use mrustc to build some version of Rust. The time-consuming part is that each version of the Rust toolchain uses fairly new features in the Rust language, so yes, you'll probably have to build the world a couple dozen times starting with the most recent version supported by mrustc.

The difficulty with reproducible builds in Java is the timestamps. It's a solved problem now, but I don't think it was 20 years ago.

OAuth isn't an HTTP extension, it's an OSI application level protocol. Also, of all the protocols you could have picked, OAuth is a really simple one. You could code a custom implementation in an afternoon. HTTP isn't even so bad, even with the HTTP/2 modifications, you could definitely do it yourself, depending on your reading comprehension ability (reading code standards is not a skill every programmer has).

Ever since most of JQuery functionality got added to the Javascript standard library, you mostly don't need third party libraries. Something like React can be useful if you are working on a web app with a large team because it gives you encapsulation, but even then, the number of third party library dependencies is small enough that a security team can review them all, which some companies do.

A USB-C connector is the same physically as a Thunderbolt 3/4 connector. That does not mean you can always run Thunderbolt over the connector. This is the a problem with a universal connector that has wildly different capabilities. However in this context, I know of no mobile phone that has a Thunderbolt connector unlike what the OP and the people who replied have said.

"Right Wing Media"? I wonder if Fox News is a union shop? I've heard people on Fox News talk about unions for decades, I literally have no idea what you mean by "You're not even allowed to say the word Union anymore in Media. The right wing media just won't allow you to use certain words."

And "Just like they won't allow you to quote Charlie Kirk"? Who's stopping you - of course, there's quoting someone by saying exactly what they said, and then there's the "let me re-phrase what Charlie Kirk said so you will know what I think he meant, not what he actually said." There's a famous quote about Charlie Kirk "reportedly" saying "it was OK to stone homosexuals to death" - you may remember Stephen King famously tweeted that... The only problem was the quote was lifted from a sentence wherein Charlie Kirk was quoting the bible and he repeated it as a line that his enemies would take out of context and try to use against him - and they did. Stephen King soon apologized. Yeah, I have a problem with those kinds of "quotes" where someone's enemies "re-phrase" what someone said then claim it is literally what they said.

If I had to guess, we let this happen by the USA electing George W. Bush in 2000. His incoming Attorney General settled United States v. Microsoft Corp., 253 F.3d 34 (D.C. Cir. 2001), with a wrist slap instead of a Windows division breakup.

You probably guessed correctly: equitable relief in the form of an injunction against Disney bringing a trademark lawsuit. I haven't read the complaint, but I'd be surprised if it didn't cite Kellogg and Dastar.

The Supreme Court of the United States has decided a few cases about the interaction between the Lanham Act, which inclues trademark law, and exclusive rights pursuant to the Copyright Clause. Key cases includes Kellogg Co. v. National Biscuit Co., 305 U.S. 111 (1938), and Dastar Corp. v. Twentieth Century Fox Film Corp., 539 U.S. 23 (2003). In both cases, the Court ruled that the Lanham Act cannot be used to extend the effective term of exclusive rights in an invention whose patent has expired or a work whose copyright has expired. Disney's legal counsel ought to be familiar with the latter case, seeing as it involved a company that is now a subsidiary of Disney.

From the article:

The Go project recently arranged for Go itself to be completely reproducible given only the source code, meaning that although a build needs some computer running some operating system and some earlier Go toolchain, none of those choices matters."

[...]

The Multics review is famous for pointing out the possibility of adding a back door to a compiler to insert back doors in critical system programs during compilation [...]. Reading the report inspired Ken Thompson to implement exactly that attack on an early Unix system, probably in early 1975. He later explained the attack in his 1983 Turing Award lecture, published in Communications as "Reflections on Trusting Trust."

David A. Wheeler described a defense against a back door that propagates through the compiler in a 2009 PhD dissertation titled Fully Countering Trusting Trust through Diverse Double-Compiling . Diverse double-compiling (DDC) involves choosing two or more other independently developed compilers A and B for a language, bootstrapping compiler C from source code through each of them (building C with A or B and then building C with itself), and ensuring that the output is byte-identical. This relies on previous effort to make builds reproducible.

However, DDC also relies on having more than one implementation of a particular language. Go and Rust each have only one widely used implementation. This means someone trying to wrangle a supply chain has to do one of three things: trust a particular old version of a compiler not to have a back door, compile every version since the dawn of the language (such as when Rust was prototyped in OCaml), or implement a usable subset of the language in a more widely implemented language. This is why mrustc is so important, as it's a way to skip forward by several years' worth of versions when bootstrapping a Rust compiler.

From the article: "The only problem left is key distribution: The verifier must know who should have signed the code. [...] To the extent that questions of identity can be solved, having authors sign their software can provide even stronger guarantees." It goes on to describe how Debian and Go package repositories include the expected hash value of a package, so that package downloading tools can reject a package that has been replaced.

However, the approach used by Debian to verify developers' identity, that of new developers physically meeting existing trusted developers at key signing parties to exchange OpenPGP public keys, doesn't scale very well. A lot of contributors are disconnected from the strongly connected set of the web of trust because they cannot travel to key signing parties. This can be because of cost, work or child care scheduling, regulatory restrictions related to geopolitics, or regulatory restrictions related to public health (most recently during 2020-2021). These disconnected contributors must forever rely on the bottleneck of "sponsors" (trusted developers who forward packages from the maintainer to the distribution) to get their work into a distribution.

And sponsors are indeed a bottleneck. From the article: "And then you need to be ready to update to a fixed version of that dependency." When a package's upstream maintainer releases an updated version of a package, the package's sponsor in a particular distribution may be too busy with other tasks to handle it the same day. This can mean that there is no available labor to forward the update to the rolling distribution and backport the fix to the version of the package in a stable distribution.

This seems like the sort of advice that is going to be exceptionally hard to get followed because it's mostly so dull.

There can be some interesting futzing in principle to keep unnecessary sources of variation from getting folded into build artifacts, normally followed by less-interesting making of those change in practice across a zillion projects; and basically anything involving signing should at least be carefully copying the homework of proper heavyweight cryptographers; but most of the advice is of the "fix your shit" and "yes, actually, have 10 people, ideally across multiple orgs, despite the fact that you can get it for free by pretending that the random person in Nebraska won't make mistakes, get coopted by an intelligence agency, quit to find a hobby that doesn't involve getting yelled at on the internet for no money, or die" flavor; which is absolutely stuff you should do; but the sort of deeply unsexy spadework that doesn't have magic bullet vendors lobbying for it to get paid for.

What seems sort of damning is that the explanation is "our tech sucks".

The 'explanation' is that the demo triggered all the devices within earshot because apparently a device designed to perform possibly-sensitive actions on your behalf was assigned a model line wide, public audio trigger in order to make it feel more 'natural' or something; rather than some prosaic but functional solution like a trigger button/capacitive touch point/whatever; and that the device just silently fails stupid, no even informative feedback, in the even of server unresponsiveness or network issues. Both of these seem...less than totally fine...for something explicitly marketed for public use in crowded environments on what we euphemistically refer to as 'edge' network connectivity.

You obviously have limited control over the network in a situation like this; so nobody expects the goggles to fix the internet or facebook's server resource allocations for you; but having some sort of "can't reach remote system" error condition has been ubiquitous basic function since around the time that dirt was still in closed beta.

They gave everyone 4+ years notice, at some point MS should be allowed to evolve their product.

Please, explain how the free upgrade from Win 10 to 11 forces anyone to buy windows again. Then explain the greedy profit motive behind the free upgrade from windows 7 and 8/8.1 enriches Microsoft.

I guess Microsoft sucks at being greedy?

As is hyper-v on win 10 and 11

Running Win 10 in a VM doesn't make it more secure, you know that, right?

If you want to flex over your moms robust laptop, you need to say what generation it is, so you can explain to us why she's relying on a 10 year-old cast-off laptop from you (did your mom really need 16 gigs of ram?)

Her messages aren't weird, would you prefer MS to silently just stop updating her laptop? Yes, there should be a way to override the alerts, but they aren't weird, they are useful if you fear being hacked.