[rb-general] What is the goal of reproducible builds?
Orians, Jeremiah (DTMB)
OriansJ at michigan.gov
Mon Dec 9 15:08:28 UTC 2019
> I'm not absolutely convinced that reproducible builds does not help with the trusting trust attack.
Well one wouldn't want to help the trusting trust attack, one tries to defend one's self against it
> It all boils down as to where did a backdooring compiler come from, and how is it backdooring the build.
Backdooring a compiler can be as simple as adding an optimization without fully understanding the impact
(See GCC optimizations + Linux kernel to see some amazing examples)
The Trusting trust attack is a very special case, where reading the source code doesn't allow one to discover the backdoor,
Because the backdoor is not in the source code but rather the digital providence of the compiler used.
Hence the important distinction and the difference between the two different projects, despite many shared tools and techniques.
Reproducibility is about, well, being able to reproducibly build software.
Bootstrappablility is about building digital provenance for our software
-Jeremiah
More information about the rb-general
mailing list