Flutterby™! : Reproducible Builds

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Reproducible Builds

2017-07-27 18:47:46.487538+00 by Dan Lyke 1 comments

How Debian Is Trying to Shut Down the CIA and Make Software Trustworthy Again:

"We are not discussing a hypothetical attack here," he said. "This is a real attack. We are talking about developers in totally good faith producing software, the binary they would give you, and even if they are of good faith, we could be totally owned."

Essentially trying to find solutions for the problems that Ken Thompson mentioned in Reflections on Trusting Trust.

[ related topics: Free Software Interactive Drama Open Source Software Engineering ]

comments in ascending chronological order (reverse):

#Comment Re: Reproducible Builds made: 2017-07-28 04:35:33.741463+00 by: Jack William Bell

The 'Trusting Trust' problem is something I think about a lot. Seriously.

The only solution I've come up with is starting from scratch: writing an assembler in machine language and then bootstrapping up from there with carefully reviewed code. I don't think their idea of 'reproducible builds' goes far enough, assuming the underlying build system is already compromised.

And, of course, even my solution isn't good enough if the firmware or hardware is compromised. (Think 'MMU runs a mini OS and can exfiltrate memory dumps or infiltrate and overwrite memory using special registers in the network chips for communications.') So, basically, were screwed.

Add your own comment:

(If anyone ever actually uses Webmention/indie-action to post here, please email me)

Format with:

(You should probably use "Text" mode: URLs will be mostly recognized and linked, _underscore quoted_ text is looked up in a glossary, _underscore quoted_ (http://xyz.pdq) becomes a link, without the link in the parenthesis it becomes a <cite> tag. All <cite>ed text will point to the Flutterby knowledge base. Two enters (ie: a blank line) gets you a new paragraph, special treatment for paragraphs that are manually indented or start with "#" (as in "#include" or "#!/usr/bin/perl"), "/* " or ">" (as in a quoted message) or look like lists, or within a paragraph you can use a number of HTML tags:

p, img, br, hr, a, sub, sup, tt, i, b, h1, h2, h3, h4, h5, h6, cite, em, strong, code, samp, kbd, pre, blockquote, address, ol, dl, ul, dt, dd, li, dir, menu, table, tr, td, th

Comment policy

We will not edit your comments. However, we may delete your comments, or cause them to be hidden behind another link, if we feel they detract from the conversation. Commercial plugs are fine, if they are relevant to the conversation, and if you don't try to pretend to be a consumer. Annoying endorsements will be deleted if you're lucky, if you're not a whole bunch of people smarter and more articulate than you will ridicule you, and we will leave such ridicule in place.

Flutterby™ is a trademark claimed by

Dan Lyke
for the web publications at www.flutterby.com and www.flutterby.net.