I'm not conflating reproducible builds with open source. What I'm saying is if I am able to reproduce the exact same thing as someone else ships in binary, only then I can make a statement based on my code observations about the binary they ship. Since I don't think that's hard,
-
-
Replying to @dEnergy_dTime @taviso and
I've really reached the point where I think you insist on willfully ignoring that. I don't know how to convince you other than with logic, so I'll guess I'll stop trying.
1 reply 0 retweets 2 likes -
Replying to @dEnergy_dTime @RichFelker and
Marcus, you've invented a fantasy threat model and you're upset that I don't agree we should defend against it. You don't need reproducible builds, you need open source. So yes, please stop trying.
2 replies 0 retweets 1 like -
Replying to @taviso @dEnergy_dTime and
But open source in absence of reproducible builds isn’t really a solution, unless you’re going to independently audit the entire source every time. A reproducible build lets you at least verify that you can build the same thing as the official builds from the same source/tools.
1 reply 0 retweets 1 like -
Essentially, it allows third parties to verify that e.g. the official builds have not been tampered with wrt the publicly available source code. The model isn’t unlike the PGP Web Of Trust, for better or for worse.
1 reply 0 retweets 1 like -
Obviously, without periodic, labor-intensive and expensive audits to ensure that the source hasn’t been compromised, it’s not perfect, but it at least provides for third-party attestation that the official build matches the source that’s publicly available. There’s value there.
1 reply 0 retweets 0 likes -
Agreed with your later point that if you’re just building it yourself, it’s not a *lot* more useful, but it guards against the scenario where e.g. backdoored builds are slipped into the main site vs. slipped into the source, because the checksums will diverge.
2 replies 0 retweets 0 likes -
Replying to @6502_ftw @dEnergy_dTime and
Nobody claims reproducible builds prevent backdoors, they definitely don't. People do (correctly) claim they prevent compromised build servers from producing tainted binaries. I'm saying you can do that *today*, *without* reproducible builds.
2 replies 0 retweets 1 like -
Replying to @taviso
Did you describe how to do that instead? I couldn't find it, but it's hard to navigate these threads and I get the impression that whether there is a good alternative to using reproducible builds for this is a point of contention in this discussion.
1 reply 0 retweets 1 like -
Replying to @jix_
Well, reproducible builds work like this: I give you a source tarball that you *have* to trust (if you don't there might be bugdoors), and a binary that might be tainted. You rebuild the binary, and verify it's bit-for-bit identical, therefore not tainted.
1 reply 0 retweets 0 likes
You now have two bit-for-bit identical binaries, one you trust and one you don't and therefore know they're both safe. I'm saying, who cares about the vendor supplied one? Just use the one you built, and it doesn't matter if it was reproducible or not.
-
-
Replying to @taviso
Sorry, I don't see how that helps in stopping a compromised build server from distributing compromised binaries undetected. What am I missing?
1 reply 0 retweets 0 likes -
Replying to @jix_
I don't know, walk me though the attack you're imagining. I think if you used my system, the tainted binary will never execute on your system, so it's irrelevant if it's compromised or not?
1 reply 0 retweets 0 likes - 11 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.