[rb-general] Perfectionism gets in the way?
carlo von lynX
lynX at i.know.you.are.psyced.org
Fri Jan 27 12:37:53 CET 2017
Hi there. From the other discussion I gather that I wasn't
the only one observing a pattern of confusing perfectionism.
I see the philosophical debate you had at the summit, but
I think most users would be fine with something pragmatic
that *improves* the probability of software being secure
*compared* to the insecure operating systems of today.
So if 3 guix devs say they were able to reproduce libiberty.so
for *my* architecture exactly as is distributed by gnunet-fs
or old-fashioned mirror networks, that is a starting point
that is sufficient for *me*.
Reproducible to me is a static factual goal when you define
it in a focused way on a *specific* version for *one* specific
architecture. If somebody fails to recreate the binaries
that 17 other people were able to create, then that is not
a reason to panic. It simply means there is a bug in the
process. But 17 got the same binary, so *that* binary cannot
be affected by attackers, by men in the middle. That is
enough. That the mechanism doesn't *always* work is
irrelevant for security.
I understand Ximin's point that going perfectionistic about
deterministic functional logic means throwing away much of
today's computing technology.
At best you can tell that a package is *not* reproducible, but
that isn't actually important. As soon as two people managed
to compile a package identically, be it because they started
the process in the exact same millisecond, then they created
a binary package that I can trust if I have reason to believe
that these two people would never conspire against me.
Admittedly the term "reproducible" doesn't apply then, but
still that binary package is better than any rpm out there.
So when it comes to facts, the real need on the street is
much easier to achieve as any abstract perfectionism that
may have confused some minds at the summit.
Rok Garbas writes in https://garbas.si/2016/reproducible-builds-summit-in-berlin.html as follows:
| What I realized during the summit is that reproducibility is not something which is true or false, but something that we is true until somebody disproves it. Reproducibility is a goal which we are always working towards, just like security.
But isn't that an overspecification of the problem? Letting
perfectionism distract from the actual goal: having binaries
that a number of other people can confirm to be backdoor-free.
| I got the impression that the sole reason of reproducible builds is that you would be more secure. That implies that everybody cares about security. Which would be great, but in a world with tight deadlines and startups security is usually the first thing that gets crossed out of the list. We need to make a more compelling reason then just security.
As soon as reproducibility is realistic and popular among a
certain percentage of users, professionals and hacktivists,
I can imagine political parties taking the issue into
parliaments, legislating computer reproducibility as a
precondition for all structurally important systems like
hospitals and traffic lights.
Just look at Windows 10: it has been banned from use in
critical systems in several countries already because of
the obvious remote control facilities inside. Those folks
that legislate such bans need something they can recommend
instead, and Ubuntu certainly doesn't qualify for that.
Computer security is in the news every second day. Parliaments
will be very happy to be able to do something about it. You
guys are key players in this. The YBTI law proposal already
*implies* reproducible operating systems as a precondition.
| [...] A refinement of this policy is to install only packages for which k out of n known builders “agree” on what the package contents are.
Of course, since it is enough that a bunch of people that are
unlikely to conspire, agree on that. It doesn't matter if others
are honestly or dishonestly unable to recreate the binary.
E-mail is public! Talk to me in private using encryption:
More information about the rb-general