honestly, this is all a large log of whataboutisms. Sure, there's bugdoors. Ssource code are still easier to audit for bugs than binaries. If you don't have reproducible builds, you are left with the binary alone. So, I see a benefit. Complete solution? Nothing ever is.
-
-
Replying to @dEnergy_dTime @RichFelker and
Obviously you can have source code without reproducible builds, what a ridiculous thing to say?
1 reply 0 retweets 0 likes -
Replying to @taviso @dEnergy_dTime and
In practice you *don't* have source code without repro builds. You have approximate source code that differs from the actual source the binary was built from in various ways for various reasons.
2 replies 0 retweets 4 likes -
Replying to @RichFelker @dEnergy_dTime and
Do you have source code to the Linux kernel?
1 reply 0 retweets 0 likes -
Replying to @taviso @dEnergy_dTime and
Which Linux kernel? I have the source to the one I built. I'm not sure if I have it for the one my Alpine laptop is running (don't know what exact compiler they used). Pretty sure I would have it if running Debian.
1 reply 0 retweets 2 likes -
Replying to @RichFelker @dEnergy_dTime and
You said "you *don't* have source code without repro builds", then you said "I have the source to the one I built". Which one of those is true?
1 reply 0 retweets 0 likes -
Replying to @taviso @dEnergy_dTime and
You don't have source code to a binary someone else built without repro builds. You do have it for something you built, at least until you clobber the build environment with hidden deps.
1 reply 0 retweets 3 likes -
Replying to @RichFelker @dEnergy_dTime and
Cool, so in practice you *can* have source code without reproducible builds? Then why do you need them to be bit-for-bit identical? I think you're struggling to justify a threat model that doesn't make sense.
2 replies 0 retweets 1 like -
Replying to @taviso @RichFelker and
Threat model: binary (eg alpine kernel) build service compromised, maliciously patches source files before builds. As auditor, you review the source code that you *think* gets build, but can't verify it actually is what your client runs, because no two build are identical.
1 reply 0 retweets 0 likes -
Replying to @dEnergy_dTime @taviso and
we're not Linux from scratch and this isn't 1999. You usually don't run your own software distribution just because you want to know the binary that gets distributed for sure. That's what hashes are for.
1 reply 0 retweets 0 likes
I see, you want reproducible builds, but it ain't 1999, so we're sure as hell not actually going to reproduce them. What attack will that defend against?
-
-
Replying to @taviso @RichFelker and
you reproduce once, sign the hash, let someone else care about distribution. Certainly, I don't have to explain PKI to *you*?!
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.