This is a really odd point. We both agree there are huge benefits to open source, right? But you're saying the binaries also also have to be reproducible, because maybe they're hiding some proprietary code in there? Um, can't you just verify there is no additional functionality?
-
-
Replying to @taviso @matthew_d_green and
I think we both know there's no such thing as "just verify there is no additional functionality" for a black box.
1 reply 0 retweets 3 likes -
Replying to @RichFelker @taviso and
Without repro builds, in practice even when vendors release source there are often no scripts to rebuild it. This isn't malice just a matter of it being hard to do right. Repro builds is a discipline to get it right. (GPL anticipated this problem back in the 80s, BTW.)
1 reply 0 retweets 9 likes -
Replying to @RichFelker @taviso and
If a router vendor ships their source that's a modified OpenWRT, but doesn't do repro build processes, do you think it's likely that the source actually matches the firmware blob you download from their site? :-)
1 reply 0 retweets 3 likes -
Replying to @RichFelker @matthew_d_green and
Right, but you're saying "they might be breaking the law, and if they provide a reproducible build, we can check if they're breaking the law and sue them....." so, if they are breaking the law, why would they do that?
1 reply 0 retweets 1 like -
Replying to @taviso @matthew_d_green and
No. I'm saying that you can check that there's not new vendor-induced bug surface outside the patch set and limit the scope of what needs audit to the patch set.
1 reply 0 retweets 4 likes -
Replying to @RichFelker @matthew_d_green and
I deleted my last tweet, I think I misunderstood. I think you're saying there are code quality benefits to making your build reproducible, and you want developers to be better. OK, but you're mixing in security claims, I only really object to claims it prevents backdoors.
1 reply 0 retweets 3 likes -
Replying to @taviso @matthew_d_green and
Not just code quality but, when the product is derived from FOSS and you don't have reason to believe the vendor has ability to upstream bugdoors into the FOSS, significant benefits to the practicality of audit for bugdoors and unintentional added vulns.
2 replies 0 retweets 2 likes -
Replying to @RichFelker @matthew_d_green and
Sure, and I want a pony. Nobody is going to buy me one though, so why discuss it?
6 replies 0 retweets 13 likes -
Replying to @taviso @RichFelker and
Haven’t you won one yet?pic.twitter.com/KeQZ7kg4id
1 reply 0 retweets 1 like
Two, but who's counting 
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.