[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] Mitigating malicious packages in gnu/linux



Hi,

Tim Kuijsten <info+oss-security AT netsend.nl> skribis:

>> There is not a definitive solution here. But there are multiple efforts and
>> research going on. The most important one, in my opinion, is the reproducible
>> builds project [1]. We need to ensure we are not inserting random or
>> non-deterministic data into our build artifacts. This stretches from upstream
>> developers providing tarballs, to pre-compiled sources and packages from
>> distributions. There is no distribution today that has full reproducible builds,
>> but there are many projects that work towards this and work on reproducible
>> builds.
>
> One attack that is not solved by reproducible builds is one on the toolchain.
> This can be solved with bootstrappable builds[1] which is about minimizing the
> number of trusted binaries that are needed to produce the toolchain, that
> produced the toolchain, ... that was used to build your package.

Efforts in that area are fruitful and have already led to a smaller set
of “bootstrap seeds” (binaries from which the rest of the system is
built from source) for GNU Guix, an important step forward:

  https://guix.gnu.org/blog/2019/guix-reduces-bootstrap-seed-by-50/

Thanks to people working on GNU Mes and related projects at
<https://bootstrappable.org/>, we have good hope to see that set of
bootstrap seeds further reduced soon.

Reproducible builds and bootstrappable builds enable provenance tracking
and auditing, which are key to security.

Ludo’.