Without repro builds, in practice even when vendors release source there are often no scripts to rebuild it. This isn't malice just a matter of it being hard to do right. Repro builds is a discipline to get it right. (GPL anticipated this problem back in the 80s, BTW.)
-
-
Replying to @RichFelker @taviso and
If a router vendor ships their source that's a modified OpenWRT, but doesn't do repro build processes, do you think it's likely that the source actually matches the firmware blob you download from their site? :-)
1 reply 0 retweets 3 likes -
Replying to @RichFelker @matthew_d_green and
Right, but you're saying "they might be breaking the law, and if they provide a reproducible build, we can check if they're breaking the law and sue them....." so, if they are breaking the law, why would they do that?
1 reply 0 retweets 1 like -
Replying to @taviso @matthew_d_green and
No. I'm saying that you can check that there's not new vendor-induced bug surface outside the patch set and limit the scope of what needs audit to the patch set.
1 reply 0 retweets 4 likes -
Replying to @RichFelker @matthew_d_green and
I deleted my last tweet, I think I misunderstood. I think you're saying there are code quality benefits to making your build reproducible, and you want developers to be better. OK, but you're mixing in security claims, I only really object to claims it prevents backdoors.
1 reply 0 retweets 3 likes -
Replying to @taviso @matthew_d_green and
Not just code quality but, when the product is derived from FOSS and you don't have reason to believe the vendor has ability to upstream bugdoors into the FOSS, significant benefits to the practicality of audit for bugdoors and unintentional added vulns.
2 replies 0 retweets 2 likes -
Replying to @RichFelker @matthew_d_green and
Sure, and I want a pony. Nobody is going to buy me one though, so why discuss it?
6 replies 0 retweets 12 likes -
Replying to @taviso @RichFelker and
Having not read the rest of the thread, I *am* tempted to buy you a pony, just to force you into discussing something that you don't want to discuss (I haven't even read what it is ;)
2 replies 3 retweets 40 likes -
-
Replying to @matthew_d_green @halvarflake and
I'm raising money for Buy a Pony for Tavis. Click to Donate https://www.gofundme.com/f/buy-a-pony-for-tavis?utm_source=twitter&utm_medium=social&utm_campaign=p_cf+share-flow-1 …
9 replies 21 retweets 84 likes
-
-
-
Replying to @matthew_d_green @halvarflake and
I spent all my money on political horses
1 reply 1 retweet 13 likes - Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.