In order for them to check the build, they’d have to engineer reproducible builds anyway. So the costs have already been incurred. Might as well make them available to your auditors at no additional cost, so they can eliminate another trust point.
-
-
Replying to @matthew_d_green @taviso and
I also think you’re considering a model where there’s a binary choice between absolute trust and no consequences for serious bugs, and zero trust. There’s a spectrum.
1 reply 0 retweets 3 likes -
Replying to @matthew_d_green @halvarflake and
It would be nice if that was true, but every month the major vendors publish dozens of backdoor-equivalent vulns. Doesn't that prove there are no penalties for bugdoors? Worse, there might be social penalties or threats to you for discussing a bugdoor you discovered
1 reply 0 retweets 4 likes -
Replying to @taviso @halvarflake and
If you imagine deliberate bugdoors created by nation states, you also have to consider that good bugs can be discovered and exploited in both directions.
1 reply 0 retweets 1 like -
Replying to @matthew_d_green @halvarflake and
Not really, you already mentioned Dual-EC. As I understand it, they argue they generated them randomly and it was a genuine spec-bug. You argue is was a bugdoor, but it can only be exploited in one direction, right? The same is true for other bug classes.
1 reply 0 retweets 0 likes -
Replying to @taviso @halvarflake and
Like what? I’m curious what kinds of non-cryptographic bugs are NOBUS like Dual EC.
1 reply 0 retweets 2 likes -
Replying to @matthew_d_green @halvarflake and
Umm, stack buffer overflow parsing https://vendor/latestversion.txt? Nobody else can exploit that, right?
2 replies 0 retweets 2 likes -
Replying to @taviso @halvarflake and
I’m confused now. I thought you were arguing that there were vulns that could only be exploited by one side, a la Dual EC.
1 reply 0 retweets 0 likes -
Replying to @matthew_d_green @halvarflake and
Yes, you understand correctly. Who else can exploit the example I gave other than the vendor?
2 replies 0 retweets 0 likes -
Replying to @taviso @matthew_d_green and
An on-path network attacker who has a cert for the domain?
1 reply 0 retweets 2 likes
I can sit here and make up bugs if you like, the strcpy() only happens after the embedded signature check. 
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.