[rb-general] Comparison of the Debian and Arch .buildinfo approaches (was: Re: buildinfo filename convention)

[Arnout Engelen]

Hello Levente,

Thanks for your thoughts!

On Fri, Aug 10, 2018 at 3:30 PM, Levente Polyak
<levente at leventepolyak.net> wrote:
> Just to be sure: I totally see your points and I'm fully aware of the
> advantages when the .BUILDINFO file is detatched, just want to share my
> view on this and why I'm not convinced that it gives enough advantages
> or any meaningful security improvements to live with the potential noise
> and false negatives such approach creates.

Yes, I think we are quite on the same page:
* I agree putting the .BUILDINFO inside the package does not make the
Arch approach any less secure, just less flexible/convenient.
* Indeed just accepting builds from different environments and expecting
them to be consistent would just lead to noise and false negatives. An
attestation from a environment that was different in some nontrivial way
that arrived at the same result can increase your confidence in the validity
of the build, but one that arrives at a different result should not be cause
for concern.

> I'm convinced we still need all the following to provide a meaningful
> amount of security:
> - authenticated upstream sources via signatures
> - reproducible builds to detect malicious uploads
> - review/audit build-blueprints
> - and ultimately: review/audit the upstream sources as well

Yes, reproducible builds are indeed only one part of the puzzle!

> The rebuilder needs some reproduction logic anyway, if you are
> rebuilding a published package

I do think it can be interesting in some cases to compare results of
more widely differing builds. Indeed reprotest is a great tool, but in
some cases it could be neat to be able to do something similar across
different systems/configurations.


Kind regards,

Arnout