You can prove the build server isn't compromised, but you can't prove you're not trying to hide a backdoor, right? So users still have to trust you, and you could get the same benefit from getting a third party to privately repro the build for you...
Conversation
I don't fully agree. It is still easier to hide a backdoor in (obfuscated) binary code than it is in (written-to-be-maintainable) source code. Config should ideally be included.
And there are other code quality benefits of reproducible builds besides security (testing, deltas).
2
1
11
What have I done by disagreeing with ?
(Seriously, this is a very good centithread, and there are not many that still make sense beyond a 100 replies 🤔)
GIF
1
I think people generally agree now that reproducible builds don't prevent backdoors. That's good, but now they want to argue for other fuzzier benefits, so it's harder to follow that!
2
Oh, I never thought they _prevented_ backdoors, only that some of the easier vectors for introducing them are being mitigated. And that seems a good thing, especially in combination with my strong suspicion (only anecdata, though) that it helps code (or at least build) quality.
1
And since I can't see any real harm with reproducible builds (besides the work it takes to set up in the first place) - i.e. no runtime overhead etc - I don't see the usual discussion of cost of mitigation measures to factor in much in this debate. So, why not build reproducibly?
1
The auditing / trust benefits are largely theoretical, esp. outside tiny projects... but reproducible builds are very useful nonetheless. Regularly helps me debug problems, analyze the impact of changes and even figure how to build things properly. Bonus: smaller delta updates.
1
1
2
Let's not drift from the core discussion, maybe homeopathic remedies have the benefit of the placebo effect, but they don't cure disease. Do reproducible builds mean you don't need to trust the vendor, or eliminate backdoors? The answer is no, agreed?
2
1
The theoretical benefits of reproducible builds are based on the theoretical benefits of open source. I don't think reality matches anything close to the hype. I don't think either does much to avoid trust in vendors/developers. I think both help making software better though.
1
It depends a lot on the project. It gets much less useful as the code size / complexity of the project increases. It's more useful if the project uses a simple type/memory safe language where there are far fewer subtle ways of horrible things happening so it's easier to check.
1
If we're talking RCE backdoors and a typical 250k LOC C++ project, reproducible builds do not accomplish anything in terms of reducing trust in the vendor / developer. If it's some 25k LOC Go project not doing anything insane, decent assurance of no RCE backdoors seems tractable.
Depends a lot on the project and the relevance of different kinds of backdoors. There's so much that can go wrong with video conferencing beyond an RCE vulnerability and I don't think we have tools to build it in a way that it can be meaningfully audited for severe backdoors...
It's not absolute size but delta. If your distro or someone who ported the FOSS to Windows is shipping a binary, relevant size is their diff vs upstream. Repro builds lets you audit what they did.
1
1
Dismissal of value of repro builds ignores the reality of FOSS supply chain where multiple intermediary parties are involved in getting you a binary and you have different trust relationship with each.
2
2
Show replies