[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] Mitigating malicious packages in gnu/linux

On Tue, Nov 19, 2019 at 03:37:23PM +0100, Tim Kuijsten wrote:
> > There is not a definitive solution here. But there are multiple efforts and
> > research going on. The most important one, in my opinion, is the reproducible
> > builds project [1]. We need to ensure we are not inserting random or
> > non-deterministic data into our build artifacts. This stretches from upstream
> > developers providing tarballs, to pre-compiled sources and packages from
> > distributions. There is no distribution today that has full reproducible builds,
> > but there are many projects that work towards this and work on reproducible
> > builds.
> One attack that is not solved by reproducible builds is one on the toolchain.
> This can be solved with bootstrappable builds[1] which is about minimizing the
> number of trusted binaries that are needed to produce the toolchain, that
> produced the toolchain, ... that was used to build your package.

Indeed. Reproducible builds does not solve the case described by Ken Thompson in
Trusting Trust [1], nor enables the work described by David Wheeler and DDC [2].
But that isn't explicitly the goal either. We first need to be in a state where
we are capable of reproducing the distributed artifacts. Then we can investigate
the boostrap problem.

Which is why Reproducible Builds is also invested in this problem :) There is a
yearly summit with projects that contribute to reproducible builds. Last year in
Paris there where 3 sessions on bootstrapping [3][4][5]. The sessions where
mostly lead by Guix developers if I recall correctly, and they have been doing
great progress on this problem [6].

(I see Ludovic replied first but sent it regardless :D)

[1]: https://dl.acm.org/citation.cfm?id=358210
[2]: https://dwheeler.com/trusting-trust/
[3]: https://reproducible-builds.org/events/paris2018/report/#Toc11358_331763073
[4]: https://reproducible-builds.org/events/paris2018/report/#Toc11376_331763073
[5]: https://reproducible-builds.org/events/paris2018/report/#Toc11402_331763073
[6]: https://guix.gnu.org/blog/2019/guix-reduces-bootstrap-seed-by-50/

Morten Linderud

Attachment: signature.asc
Description: PGP signature