Reproducible Builds
2017-07-27 20:47:46.487538+02 by
Dan Lyke
1 comments
How Debian Is Trying to Shut Down the CIA and
Make Software Trustworthy Again:
"We are not discussing a hypothetical attack here," he said. "This is a real
attack. We are talking about developers in totally good faith producing software, the binary
they would give you, and even if they are of good faith, we could be totally owned."
Essentially trying to find solutions for the problems that Ken Thompson mentioned in
Reflections on Trusting Trust.
[ related topics:
Free Software Interactive Drama Open Source Software Engineering
]
comments in ascending chronological order (reverse):
#Comment Re: Reproducible Builds made: 2017-07-28 06:35:33.741463+02 by:
Jack William Bell
The 'Trusting Trust' problem is something I think about a lot. Seriously.
The only solution I've come up with is starting from scratch: writing an assembler in machine language and then bootstrapping up from there with carefully reviewed code. I don't think their idea of 'reproducible builds' goes far enough, assuming the underlying build system is already compromised.
And, of course, even my solution isn't good enough if the firmware or hardware is compromised. (Think 'MMU runs a mini OS and can exfiltrate memory dumps or infiltrate and overwrite memory using special registers in the network chips for communications.') So, basically, were screwed.