[rb-general] What is the goal of reproducible builds?
Bernhard M. Wiedemann
bernhardout2 at lsmod.de
Mon Dec 9 16:11:49 UTC 2019
Am 09.12.19 um 16:50 schrieb Santiago Torres-Arias:
>>> It all boils down as to where did a backdooring compiler come from, and how is it backdooring the build.
>> Backdooring a compiler can be as simple as adding an optimization without fully understanding the impact
>> (See GCC optimizations + Linux kernel to see some amazing examples)
> Sure, my questions are:
> - how did this backdooring optimization get there?
> - is it in the source code of a known compiler? (e.g., somebody broke into GNU's gcc repository),
I think this was referring to something like
https://www.redhat.com/en/blog/security-flaws-caused-compiler-optimizations
In that case, the aggressive optimizations were probably not an
intentional backdoor.
And because they were in the upstream gcc source code, they were in many
distributions.
Also the code that became insecure contained minor issues, that through
these optimizations became major issues.
However, this one falls into what I wrote on the etherpad:
> What are non-goals?
> Reproducible builds does not (intent to) help with vulnerabilities and other issues that exist in the source code. Other methods exist to address those. E.g. `print "2+2=5"` is wrong, yet perfectly reproducible.
More information about the rb-general
mailing list