Vendors lying about extent to which they modified FOSS in their products is a huge issue repro builds fully fixes, and is absolutely relevant to approach to evaluating safety.
-
-
Replying to @RichFelker @matthew_d_green and
If you don't trust the vendor to tell the truth, how can you trust them not to insert a bugdoor?
1 reply 0 retweets 3 likes -
Replying to @taviso @matthew_d_green and
Threre's a big difference in trust to be nonmalicious and trust to be competent and not hiding embarrassing things.
1 reply 0 retweets 6 likes -
Replying to @RichFelker @taviso and
But if you have proof the patches are correct & scope is auditable you *don't have to trust*.
1 reply 0 retweets 2 likes -
Replying to @RichFelker @matthew_d_green and
I have no idea what that means. You verify the build matches, so you don't have to trust me that my build server was safe... so what, you still have to trust there are no bugdoors. That's the whole discussion.
1 reply 0 retweets 0 likes -
Replying to @taviso @matthew_d_green and
"Build server" is a distraction. Repro builds are a process to ensure recipient has a way to build from source. If source is minor diff on top of existing FOSS vendor has no access to backdoor, only diff needs audit.
1 reply 0 retweets 2 likes -
Replying to @RichFelker @matthew_d_green and
This is a really odd point. We both agree there are huge benefits to open source, right? But you're saying the binaries also also have to be reproducible, because maybe they're hiding some proprietary code in there? Um, can't you just verify there is no additional functionality?
1 reply 0 retweets 2 likes -
Replying to @taviso @matthew_d_green and
I think we both know there's no such thing as "just verify there is no additional functionality" for a black box.
1 reply 0 retweets 3 likes -
Replying to @RichFelker @taviso and
Without repro builds, in practice even when vendors release source there are often no scripts to rebuild it. This isn't malice just a matter of it being hard to do right. Repro builds is a discipline to get it right. (GPL anticipated this problem back in the 80s, BTW.)
1 reply 0 retweets 9 likes -
Replying to @RichFelker @taviso and
If a router vendor ships their source that's a modified OpenWRT, but doesn't do repro build processes, do you think it's likely that the source actually matches the firmware blob you download from their site? :-)
1 reply 0 retweets 3 likes
Right, but you're saying "they might be breaking the law, and if they provide a reproducible build, we can check if they're breaking the law and sue them....." so, if they are breaking the law, why would they do that?
-
-
Replying to @taviso @matthew_d_green and
No. I'm saying that you can check that there's not new vendor-induced bug surface outside the patch set and limit the scope of what needs audit to the patch set.
1 reply 0 retweets 4 likes -
Replying to @RichFelker @matthew_d_green and
I deleted my last tweet, I think I misunderstood. I think you're saying there are code quality benefits to making your build reproducible, and you want developers to be better. OK, but you're mixing in security claims, I only really object to claims it prevents backdoors.
1 reply 0 retweets 3 likes - 22 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.