Did you describe how to do that instead? I couldn't find it, but it's hard to navigate these threads and I get the impression that whether there is a good alternative to using reproducible builds for this is a point of contention in this discussion.
-
-
Replying to @jix_
Well, reproducible builds work like this: I give you a source tarball that you *have* to trust (if you don't there might be bugdoors), and a binary that might be tainted. You rebuild the binary, and verify it's bit-for-bit identical, therefore not tainted.
1 reply 0 retweets 0 likes -
You now have two bit-for-bit identical binaries, one you trust and one you don't and therefore know they're both safe. I'm saying, who cares about the vendor supplied one? Just use the one you built, and it doesn't matter if it was reproducible or not.
1 reply 0 retweets 1 like -
Replying to @taviso
Sorry, I don't see how that helps in stopping a compromised build server from distributing compromised binaries undetected. What am I missing?
1 reply 0 retweets 0 likes -
Replying to @jix_
I don't know, walk me though the attack you're imagining. I think if you used my system, the tainted binary will never execute on your system, so it's irrelevant if it's compromised or not?
1 reply 0 retweets 0 likes -
Replying to @taviso
Jannis Harder Retweeted Tavis Ormandy
I'm just trying to follow your argument and I understood https://twitter.com/taviso/status/1265052138071195650 … in that you have an alternative to reproducible builds from stopping a compromised build server from distributing tainted binaries. So you disagree with the premise that that's a worthwhile goal?
Jannis Harder added,
Tavis OrmandyVerified account @tavisoReplying to @6502_ftw @dEnergy_dTime and 9 othersNobody claims reproducible builds prevent backdoors, they definitely don't. People do (correctly) claim they prevent compromised build servers from producing tainted binaries. I'm saying you can do that *today*, *without* reproducible builds.1 reply 0 retweets 0 likes -
If that's the case I'd refer to David A. Wheelers thesis (+ thesis website) for arguments why I think it is a worthwhile goal and better than just compiling locally. If I did misunderstand you, sorry, I'm probably too tired and should sleep instead.
1 reply 0 retweets 0 likes -
Replying to @jix_
Yes, it's arbitrarily specific? Everything else has to remain trusted. It's also never happened, have there ever been any cases of tainted binaries from compromised build infra? Lots of tainted src repos, src tarballs, signing infra, distribution, etc, though.
1 reply 0 retweets 0 likes -
Replying to @taviso
There have been, search for XcodeGhost on https://dwheeler.com/trusting-trust/
1 reply 0 retweets 0 likes -
Also the thesis describes how diversity and independent compilation on isolated systems can be used to increase trust and avoid a single point of failure.
2 replies 0 retweets 0 likes
I'm aware of it, I don't think it really qualifies, it wasn't *build infra* being compromised - they could just have easily modified source code. Dozens of examples of source tarballs or repos being modified though.
-
-
Replying to @taviso
I guess this is the point of disagreement then (at least for me)
1 reply 0 retweets 0 likes -
Replying to @jix_
Hmm, you don't agree build reprodcucibility *has* to have separate build infra to even be relevant? Otherwise the attacker can just modify source code, for example.
1 reply 0 retweets 0 likes - 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.