One of my favourite stories by Robert A Heinlein, was actually written by Anson MacDonald.

Early in his career, Heinlein wrote under several pseudonyms, but only one of them was “obvious”. I’m not aware of any way to link the names Lyle Monroe, John Riverside, Caleb Saunders, or Simon York to Heinlein. In contrast, knowing that Robert Anson Heinlein was, at that time, married to Leslyn MacDonald made “Anson MacDonald” a dead giveaway to anyone familiar with Heinlein.

By His Bootstraps is probably my favourite time-travel story. While many stories dealing with time travel are sloppy and lack internal consistency, this one is very carefully crafted to be clear and explain both changing points of view and how to deal with the question of temporal paradox.

I won’t spoil it – while certainly dated, it’s still a great story.

Instead, I’ll start with the origin and evolution of the “bootstrap” idiom, which is an interesting story in its own right. The saying “pull oneself up by one’s bootstraps” dates back to at least the 1830’s, where it was used as an example of an impossible task. Interestingly, the saying is sometimes attributed to the infamous character “Baron Munchausen”, though this character actually pulled himself (and his horse) out of a swamp by pulling on his own pigtail. The idea is there, and since this predates the 1830’s by a generation, it appears to be a possible origin of the concept, if not the exact mechanics of the impossible task.

More recently, the term is often used (without apparent recognition of its inherent impossibility) to tell people to work harder to address their situation, as if it’s possible to address economic inequality or depression (as examples), just by working harder. Its use highlights the common (and almost entirely fictional) trope that people can “succeed”, simply through effort.

Setting that topic aside, though, we finally come to computers.

In computer technology, bootstrapping is used to describe a technique used in designing compilers. To summarize, a compiler is software that translates from one language to another, and generally refers to translating software written in a high-level language (such as C, Rust, or Java) into something like assembly language. I previously discussed some of this while reviewing the story of Grace Hopper.

Bootstrapping, in the context of compilers, is a process by which a basic compiler is used to create a more advanced version of itself. Instead of having to build a compiler from scratch each time it is improved, bootstrapping simplifies the process and allows for continuous improvement. In practice, you might build a compiler for language 1.0 in assembly language, then build compiler 1.1 using language 1.0. Rinse and repeat.

The process by which a computer “boots” is comparable. I have summarized the boot process previously, and note that each process builds on a prior process in a way analogous to compiler bootstrapping. The challenge with operating systems, though, is that they deal with an extremely complex set of different tools and processes (of which compilers are one component), all of which require occasional updates.

In such a complex system, bootstrapping would refer to a system (or subsystem) which can build itself from scratch, whenever needed. While most operating systems currently have some ability to validate that given versions of specific packages are valid, it can be practically impossible to validate modules built from those packages.

Consider that you have module B1, which is built from modules A1, A2, and A3. Now consider that you have module B2, which is built from A1a (ie, a different version of A1) and A4. Now consider that you have module C1, which is built from A1b (another different version), A2a, A4, and B1. And so on, and so on.

There must be a better way!

Well, yes and no.

Yes, there’s a way this can be managed, but no, it’s not easy.

I previously discussed Zero Trust and supply chain security, and then heard about Stage^X on an episode of Cybersecurity Today. Stage^X is an open source project to build, in their words, “A container-native, full-source bootstrapped, and reproducible toolchain to build all the things”.

I have not reviewed the project, but I fully support the goal. One of the major security problems we have is around the challenge of validating the downstream members of long supply chains. Building on the famous XKCD cartoon, it is bad enough that there are enormous numbers of dependencies in software supply chains, but it’s far worse that it’s practically impossible to validate those supply chains in any comprehensive way.

Now consider a fully bootstrapped system. In such a system, you would download and validate all of the component parts of the build, and then trigger the build process which uses those components to build everything else. It then becomes easy to validate the results, because the results should always be the same for a given set of components.

This may sound easy, but remember that most current systems include processes which are built locally, but also download many components from various outside sources, resulting in systems which are extremely powerful and versatile, but also near-impossible to validate efficiently.

While many organizations are moving in the direction of improving traceability and supply-chain validation, the problem is too big and too complex to address without a great deal of effort. That said, it’s too important to get wrong, so I suspect that the big OS vendors will probably move toward tighter control over what is installed and how, which can allow better traceability.

I am hopeful, however, that projects to build fully-bootstrapped systems may start to snowball, and evolve into larger systems. While much more complex to build and maintain, they have the potential to be vastly more traceable and verifiable – and the ability to verify that a system has not been altered will become more and more important over time.

Maybe these fully-bootstrapped systems will be able to use those bootstraps to pull themselves above the competition...

Cheers!