I don't have a delivery mechanism for *MY* binary. I don't want to build it - it already exists.
-
-
Can you run a command on every system?
1 reply 0 retweets 0 likes -
It's my infrastructure - In theory I can build anything to do anything. I don't want to.
1 reply 0 retweets 0 likes -
If I understand correctly, you are seriously concerned your vendors build server is compromised. You're concerned enough that you're willing to rebuild every package manually, but you draw the line at copying files around? Do you at least agree it's not a *strong* argument?
2 replies 0 retweets 0 likes -
Leif Ryge Retweeted Leif Ryge
What you seem to be missing is the fact that users don't need to rebuild anything themselves in order to benefit from reproducible builds:https://twitter.com/wiretapped/status/1265026855121420289 …
Leif Ryge added,
Leif Ryge @wiretappedReplying to @taviso @dEnergy_dTime and 9 otherseveryone will benefit from reproducible builds when software update mechanisms begin to require signatures from at least m of n of the expected builders. then the build infrastructure will no longer contain SPOFs which can independently modify software. bugdoors are orthogonal.1 reply 0 retweets 1 like -
Replying to @wiretapped @tgenov and
What you seem to be missing is that you can get all the same security benefits *today* without having to spend millions developing new build systems. Do you agree we're just not seeing attackers produce tainted binaries from trusted but compromised build servers?
1 reply 0 retweets 0 likes -
how, by having each endpoint build the code itself? aside from being impractical, that also doesn't provide the same assurance that they're all running good binaries. re: your q, absence of evidence isn't evidence of absence, and no, i do not agree. e.g. https://theintercept.com/2015/03/10/ispy-cia-campaign-steal-apples-secrets/ …pic.twitter.com/qDVLl7B1MI
1 reply 0 retweets 1 like -
Replying to @wiretapped @tgenov and
Each endpoint could build, or you can get someone you already have to trust to build it for you, which is how it works today. That seems to be working pretty well, as you have to really stretch to provide any examples of it not working, correct?
2 replies 0 retweets 0 likes -
Leif Ryge Retweeted Leif Ryge
I have no idea who has root on my OS vendor's build infrastructure. Whoever they are, I would like to not need to trust them. Confidence in the source code is an entirely orthogonal problem to confidence that a binary came from the source it claims.https://twitter.com/wiretapped/status/1265038148289155077 …
Leif Ryge added,
Leif Ryge @wiretappedReplying to @taviso @dEnergy_dTime and 9 others"Someone you trust needs to build the software." This is it exactly! Without reproducible builds, your statement is true. But with reproducible builds, it becomes possible to avoid needing to pick a single someone to trust to build the software.2 replies 0 retweets 1 like -
Replying to @wiretapped @taviso and
repro builds are actually also useful for closed-source software: vendors like Apple and Microsoft should have multiple independent teams maintaining separate parallel build infrastructures, to remove opportunities for malfeasance which individual build engineers currently have
1 reply 0 retweets 1 like
The thing is, when people compromise build servers at places like Microsoft and Apple, they're not trying to taint binaries: They're trying to steal proprietary source code which all gets funneled through the build servers. That *actually* happens, and is not theoretical.
-
-
Replying to @taviso @wiretapped and
What you're suggesting makes that attack *more* likely. You have to have more build infrastructure to maintain, which means more attack surface, and more opportunities for an attacker to compromise them, agreed?
1 reply 0 retweets 1 like -
sure, adding more build infra certainly increases the # of theoretical opportunities for attackers to obtain confidential source code but i suspect there aren't a lot of publicly-known cases of that happening either? in my opinion, user safety is more important than code secrecy.
1 reply 0 retweets 0 likes - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.