because in a scenario where the dev may have had his signing keys compromised, and someone has compromised the bin repo, i have a chance of knowing. it goes back to "I want to be able to establish that a given binary was built from a given source snapshot".
-
-
Replying to @halvarflake @taviso and
key compromise in the absence of universal codesigning transparency has a silent failure mode. deterministic builds can help alleviate that.
1 reply 2 retweets 7 likes -
Replying to @halvarflake @taviso and
the reason i want this is also personal: If I was paid to pwn, gathering the worlds code signing keys would be a rather high item on my todo.
3 replies 1 retweet 10 likes -
Replying to @halvarflake @dEnergy_dTime and
That doesn't make sense though, the only way you can know is because you also built it - at which point you don't need the signed binaries! The code signing is only useful if you want to know the binaries were produced by a vendor you already trust.
1 reply 0 retweets 2 likes -
Replying to @taviso @dEnergy_dTime and
explain to me again how having built the binaries surfaces the use of compromised keys for the binaries on the repo?
1 reply 0 retweets 2 likes -
Replying to @halvarflake @dEnergy_dTime and
It doesn't matter - you *have* trusted binaries, you were going to build them anyway. Codesigning is only relevant for people who don't have trusted binaries, but do have a vendor they trust, right?
1 reply 0 retweets 2 likes -
Replying to @taviso @dEnergy_dTime and
I am not sure you are engaging with my argument. To repeat: I like deterministic builds because they may surface use of compromised signing keys. I don't think you get to decide that I should not care because I can build my own (trusted) binaries.
1 reply 1 retweet 14 likes -
Replying to @halvarflake @dEnergy_dTime and
We agree that you can check if a build server is compromised or not with reproducible builds. I'm not saying you can't enjoy doing that if you like, but I am saying there's no security benefit over just open source.
4 replies 0 retweets 1 like -
Replying to @taviso @halvarflake and
Really no benefit? Do you inspect your compiler output? Linker? Build libc, etc., from scratch?
2 replies 0 retweets 2 likes -
To paraphrase your colleague Ken, how do you trust your compiler?
1 reply 0 retweets 2 likes
It's fun to daydream about RoTT, but it's not really relevant here. You're imaging an attack where *your* system is already compromised, but the vendor's system is safe, right? How will reproducible builds help in your scenario?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.