so i would disagree on this at least for me personally. i would def like to be able to rebuild debian packages deterministically from source & check that they are identical with public versions.
-
-
You can say that if you like, but you have just defined “possibility to surface signing key abuse” as “no security benefit over open source”. I will concede this if I get copies of all debian package signing keys & passphrases in return.
-
No, I am saying there is no security benefit to *reproducible builds* over open source. There is benefit to avoiding compromised code signing keys, but you *can already* do that with open source. Therefore, "reproducible builds have no security benefit over open source".
- 7 more replies
New conversation -
-
-
Reproducible builds help glue together software supply chain security - eg. how do you know which versions of dependencies are included, was it built from a two-party approved commit, etc.
-
Easy: You already have to build the software yourself in order to verify it reproduces, so then you use that build. Then it doesn't matter if they're bit-for-bit identical or not.
- 15 more replies
New conversation -
-
-
Really no benefit? Do you inspect your compiler output? Linker? Build libc, etc., from scratch?
-
Walk me through the attack you're imagining. Someone has backdoored your linker, and your solution to this problem is to do some reproducible builds on a few projects and check if the output matches?
- 2 more replies
New conversation -
-
-
the difference is whether everyone has to rebuild all their software themselves vs a couple people can rebuild it and publish their own additional signatures for you, right? and if everyone rebuilds it, that's gonna waste a lot of time
-
… and a lack of doability of verification means a lack of verification, or reduced update cycles.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.