key compromise in the absence of universal codesigning transparency has a silent failure mode. deterministic builds can help alleviate that.
-
-
Replying to @halvarflake @taviso and
the reason i want this is also personal: If I was paid to pwn, gathering the worlds code signing keys would be a rather high item on my todo.
3 replies 1 retweet 10 likes -
Replying to @halvarflake @dEnergy_dTime and
That doesn't make sense though, the only way you can know is because you also built it - at which point you don't need the signed binaries! The code signing is only useful if you want to know the binaries were produced by a vendor you already trust.
1 reply 0 retweets 2 likes -
Replying to @taviso @dEnergy_dTime and
explain to me again how having built the binaries surfaces the use of compromised keys for the binaries on the repo?
1 reply 0 retweets 2 likes -
Replying to @halvarflake @dEnergy_dTime and
It doesn't matter - you *have* trusted binaries, you were going to build them anyway. Codesigning is only relevant for people who don't have trusted binaries, but do have a vendor they trust, right?
1 reply 0 retweets 2 likes -
Replying to @taviso @dEnergy_dTime and
I am not sure you are engaging with my argument. To repeat: I like deterministic builds because they may surface use of compromised signing keys. I don't think you get to decide that I should not care because I can build my own (trusted) binaries.
1 reply 1 retweet 14 likes -
Replying to @halvarflake @dEnergy_dTime and
We agree that you can check if a build server is compromised or not with reproducible builds. I'm not saying you can't enjoy doing that if you like, but I am saying there's no security benefit over just open source.
4 replies 0 retweets 1 like -
Replying to @taviso @halvarflake and
Really no benefit? Do you inspect your compiler output? Linker? Build libc, etc., from scratch?
2 replies 0 retweets 2 likes -
Replying to @RichSalz @halvarflake and
Walk me through the attack you're imagining. Someone has backdoored your linker, and your solution to this problem is to do some reproducible builds on a few projects and check if the output matches?
1 reply 0 retweets 1 like -
Replying to @taviso @halvarflake and
No. Reproducible builds for your toolchain since you think having the source suffices.
1 reply 0 retweets 0 likes
I think having the source suffices to prevent against every attack *that reproducible builds prevents*. I don't think it's sufficient to prevent *every* attack. If your linker has already been compromised, I don't think anyone claims reproducible builds are the answer except you?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.