I suspect you and @natashenka are wizards with decompilers, and so perhaps working with them does not add the 50x overhead it would add to me.
But does it add any overhead? If so, repro builds should eliminate that.
-
-
-
Replying to @matthew_d_green @halvarflake and
I don't follow, having the source available would eliminate that - but what difference does it make if it's reproducible? To be clear, I believe having the source available - whether the vendor is trusted or not - is beneficial to security.
1 reply 0 retweets 0 likes -
Replying to @taviso @halvarflake and
If there is, say, a N-factor overhead to working with decompiled binaries rather than source, and projects ship with efficiently reproducible source code — then P0 finds N times as many bugs in the same amount of time, for any project that has open source. That seems good.
2 replies 0 retweets 0 likes -
Replying to @matthew_d_green @halvarflake and
OK, but let's separate out these components. There are two parts, There's the source code which we both agree has benefits. Then there's things like seeds for -frandom-seed. What is the benefit to Project Zero of the second?
2 replies 0 retweets 1 like -
Replying to @taviso @halvarflake and
Not to have to look at binaries unless you suspect a compiler flaw?
1 reply 0 retweets 0 likes -
Replying to @matthew_d_green @halvarflake and
The only possible reason for that would be we suspect the vendor is embedding a backdoor, right? But that would be an insane thing to do, when as we've already established, bugdoors are far superior?
2 replies 0 retweets 1 like -
Replying to @taviso @halvarflake and
I still want to know why P0 looks at binaries :)
2 replies 0 retweets 0 likes -
Replying to @matthew_d_green @taviso and
because it is the only responsible way to do a code audit. It is what actually runs, that precompilation source code never runs on your system.
2 replies 1 retweet 0 likes -
I’m not asking if there can be bugs that appear only in binaries (and which would also be available with reproducible builds.) Of course that’s possible. I’m asking if that’s explicitly why
@natashenka was looking at binaries.2 replies 0 retweets 0 likes
I don't want to speak for anyone else, but sometimes it's just the best option. For example, do you want to learn a codebase and figure out all the template logic and operator overloading, or just find it in IDA and see if there's an integer overflow check? 
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.