[rb-general] What is the goal of reproducible builds?

Santiago Torres-Arias santiago at archlinux.org
Mon Dec 9 15:50:12 UTC 2019 

On Mon, Dec 09, 2019 at 03:08:28PM +0000, Orians, Jeremiah (DTMB) wrote:
> > I'm not absolutely convinced that reproducible builds does not help with the trusting trust attack. 
> Well one wouldn't want to help the trusting trust attack, one tries to defend one's self against it

If you squint enough, bootstrapping a build just "helps", as it's just a
probabilistic argument to protect against a backdoored toolchain. It's
insecure turtles all the way down.

> > It all boils down as to where did a backdooring compiler come from, and how is it backdooring the build.
> Backdooring a compiler can be as simple as adding an optimization without fully understanding the impact
> (See GCC optimizations + Linux kernel to see some amazing examples)

Sure, my questions are: 
    - how did this backdooring optimization get there?
    - is it in the source code of a known compiler? (e.g., somebody broke into GNU's gcc repository), 
    - or in a package distribution for the compiler? (e.g., Debian's copy)
    - or in a specific installation of such package? (e.g., in your buildfarm)
    - somewhere else in the chain (e.g., a compiler plugin)?

Each of these compromise vectors have different implications for the
backdooring build and require different approaches to mitigate. Not all
of these require bootstrapping a build (e.g., XCodeGhost), and
bootstrapping a build does not protect against all of these.
Bootstrapping builds offloads the trust assumption to the bootstrapping
toolchain.

The attack vector and the threat model is exactly what's missing from
"defending against the trusting trust attack", and Reproducible Builds
allows you to have semantics that can provide arguments beyond
bootstrappable builds and DDC as a whole.

I am *not* bashing bootstrappable builds, but discounting Reproducible
Builds as "only helps with builds that go unintentionally wrong" is
quite an understatement. 

Thanks,
-Santiago

> [snipped the rest]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20191209/6d7ad45b/attachment.sig>

More information about the rb-general mailing list