I'm just trying to follow your argument and I understood https://twitter.com/taviso/status/1265052138071195650 … in that you have an alternative to reproducible builds from stopping a compromised build server from distributing tainted binaries. So you disagree with the premise that that's a worthwhile goal?
-
-
If that's the case I'd refer to David A. Wheelers thesis (+ thesis website) for arguments why I think it is a worthwhile goal and better than just compiling locally. If I did misunderstand you, sorry, I'm probably too tired and should sleep instead.
1 reply 0 retweets 0 likes -
Replying to @jix_
Yes, it's arbitrarily specific? Everything else has to remain trusted. It's also never happened, have there ever been any cases of tainted binaries from compromised build infra? Lots of tainted src repos, src tarballs, signing infra, distribution, etc, though.
1 reply 0 retweets 0 likes -
Replying to @taviso
There have been, search for XcodeGhost on https://dwheeler.com/trusting-trust/
1 reply 0 retweets 0 likes -
Also the thesis describes how diversity and independent compilation on isolated systems can be used to increase trust and avoid a single point of failure.
2 replies 0 retweets 0 likes -
Replying to @jix_
I'm aware of it, I don't think it really qualifies, it wasn't *build infra* being compromised - they could just have easily modified source code. Dozens of examples of source tarballs or repos being modified though.
1 reply 0 retweets 1 like -
Replying to @taviso
I guess this is the point of disagreement then (at least for me)
1 reply 0 retweets 0 likes -
Replying to @jix_
Hmm, you don't agree build reprodcucibility *has* to have separate build infra to even be relevant? Otherwise the attacker can just modify source code, for example.
1 reply 0 retweets 0 likes -
Replying to @taviso
I think reproducibility has to have separate systems running the builds, but not necessarily the project's own infra. For me the focus is on detectability. Modified source will be found because people will eventually look at the source. For modified binaries that's not the case.
1 reply 0 retweets 0 likes -
Again I'm aware that I'm probably not stating things as clear as I'd like to currently. I might try again tomorrow.
1 reply 0 retweets 1 like
My job is literally to look at binaries. 
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.