I think people generally agree now that reproducible builds don't prevent backdoors. That's good, but now they want to argue for other fuzzier benefits, so it's harder to follow that!
Conversation
Oh, I never thought they _prevented_ backdoors, only that some of the easier vectors for introducing them are being mitigated. And that seems a good thing, especially in combination with my strong suspicion (only anecdata, though) that it helps code (or at least build) quality.
1
And since I can't see any real harm with reproducible builds (besides the work it takes to set up in the first place) - i.e. no runtime overhead etc - I don't see the usual discussion of cost of mitigation measures to factor in much in this debate. So, why not build reproducibly?
1
The auditing / trust benefits are largely theoretical, esp. outside tiny projects... but reproducible builds are very useful nonetheless. Regularly helps me debug problems, analyze the impact of changes and even figure how to build things properly. Bonus: smaller delta updates.
1
1
2
Let's not drift from the core discussion, maybe homeopathic remedies have the benefit of the placebo effect, but they don't cure disease. Do reproducible builds mean you don't need to trust the vendor, or eliminate backdoors? The answer is no, agreed?
2
1
The theoretical benefits of reproducible builds are based on the theoretical benefits of open source. I don't think reality matches anything close to the hype. I don't think either does much to avoid trust in vendors/developers. I think both help making software better though.
1
It depends a lot on the project. It gets much less useful as the code size / complexity of the project increases. It's more useful if the project uses a simple type/memory safe language where there are far fewer subtle ways of horrible things happening so it's easier to check.
1
If we're talking RCE backdoors and a typical 250k LOC C++ project, reproducible builds do not accomplish anything in terms of reducing trust in the vendor / developer. If it's some 25k LOC Go project not doing anything insane, decent assurance of no RCE backdoors seems tractable.
2
1
It's not absolute size but delta. If your distro or someone who ported the FOSS to Windows is shipping a binary, relevant size is their diff vs upstream. Repro builds lets you audit what they did.
1
1
Dismissal of value of repro builds ignores the reality of FOSS supply chain where multiple intermediary parties are involved in getting you a binary and you have different trust relationship with each.
2
2
I interpreted the question as being about trust in the software vendor / developers. Reproducible builds are a lot more clearly useful for downstream builds / distribution especially if they don't change anything substantial. It's just not how I interpreted the discussion.
I think the usefulness for avoiding trust in the developers is heavily tied to software complexity and the tools being used. If software is simpler and far less is left to humans to get right, auditing provides more assurance. Partly the same problem as finding a regular bug.