I don't fully agree. It is still easier to hide a backdoor in (obfuscated) binary code than it is in (written-to-be-maintainable) source code. Config should ideally be included. And there are other code quality benefits of reproducible builds besides security (testing, deltas).
Right, so let's say I trust the vendor, but I think their build might be compromised. You're saying "now you can verify their build isn't compromised, but you still have to trust there are no bugdoors", so why wouldn't you trust them not to promise they checked the build repro'd?
-
-
It makes no sense, right? You either trust the code *and* trust them that they verified the build wasn't compromised, or you don't trust them... and it's meaningless? I really think published reproducible builds are a red herring.
-
I think reproducible builds are useful for locking down a few classes of attack -- delivering dif builds to dif folk, and knowing that the source you see results in the build you're running. There are other attacks, like bugdoors. But don't let perfect be the enemy of better.
- 4 more replies
New conversation -
-
-
In order for them to check the build, they’d have to engineer reproducible builds anyway. So the costs have already been incurred. Might as well make them available to your auditors at no additional cost, so they can eliminate another trust point.
-
I also think you’re considering a model where there’s a binary choice between absolute trust and no consequences for serious bugs, and zero trust. There’s a spectrum.
- 32 more replies
New conversation -
-
-
Another scenario: The sw vendor may not be able to prove that a build matches their source when built / distributed by a 3rd party. E.g. Signal can’t repro the build distributed by the App Store (but some verif can be done) OFC, if you don’t trust your platform vendor…¯\_(ツ)_/¯
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.