[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] Mitigating malicious packages in gnu/linux



> There is not a definitive solution here. But there are multiple efforts and
> research going on. The most important one, in my opinion, is the reproducible
> builds project [1]. We need to ensure we are not inserting random or
> non-deterministic data into our build artifacts. This stretches from upstream
> developers providing tarballs, to pre-compiled sources and packages from
> distributions. There is no distribution today that has full reproducible builds,
> but there are many projects that work towards this and work on reproducible
> builds.

One attack that is not solved by reproducible builds is one on the toolchain.
This can be solved with bootstrappable builds[1] which is about minimizing the
number of trusted binaries that are needed to produce the toolchain, that
produced the toolchain, ... that was used to build your package.

There was a talk this year called "Bitcoin Build System Security" by Carl Dong
about this topic[2].

[1] https://bootstrappable.org
[2] https://www.youtube.com/watch?v=I2iShmUTEl8