We agree that you can check if a build server is compromised or not with reproducible builds. I'm not saying you can't enjoy doing that if you like, but I am saying there's no security benefit over just open source.
-
-
Replying to @taviso @halvarflake and
Reproducible builds help glue together software supply chain security - eg. how do you know which versions of dependencies are included, was it built from a two-party approved commit, etc.
1 reply 0 retweets 2 likes -
Replying to @mik235 @halvarflake and
Easy: You already have to build the software yourself in order to verify it reproduces, so then you use that build. Then it doesn't matter if they're bit-for-bit identical or not.
2 replies 0 retweets 1 like -
You are assuming that I have an in-house build/package/deploy system. Google does. Most places don't. There's a fleet size N (N > 1, N < ???) where I don't want to compile MySQL from source on every host.
1 reply 0 retweets 1 like -
Then how are you going to verify the build reproduces?
1 reply 0 retweets 0 likes -
I'll verify it on 1 host. Verify the binary checksum. Use the binary on the other 100.
1 reply 0 retweets 1 like -
You said you don't "have an in-house build". So I guess you do now, then why can't you distribute that build? That doesn't require reproducible builds, and has the same security benefits.
2 replies 0 retweets 1 like -
I said I don't have an in-house build/package/deploy system. I didn't say I don't have a build system.
1 reply 0 retweets 1 like -
Which part don't you have? The packaging is one more command, no?
1 reply 0 retweets 0 likes -
The part where I would have to re-invent the package distribution wheel.
1 reply 0 retweets 1 like
You do want to reinvent the building wheel though right? The packaging is trivial, and the distribution isn't difficult: You already have to stage official packages while you build and verify them, no?
-
-
I reproduce the build once. Checksum passes. I deploy the binary (that I now trust) 1000 times using existing distribution channels. Easy is more expensive than free.
1 reply 0 retweets 0 likes -
Yes, agreed. So at the moment, you reproduce the build once, verify the checksum, then deploy the official binary. I'm saying, build it once, then deploy *your* binary. Where is the flaw in that system? You must already be able to run a command on every system, right?
1 reply 0 retweets 0 likes - 14 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.