Attack on SolarWinds could have been countered by reproducible builds

Santiago Torres-Arias santiago at archlinux.org
Mon Dec 21 18:58:01 UTC 2020


Hello.

On Thu, Dec 17, 2020 at 07:33:11PM -0500, David A. Wheeler wrote:
> All:
> 
> There’s been a recently-revealed attack on the SolarWinds product “Orion", a Network Management System (NMS). This software is widely used and thus this attack is extremely concerning.
> 
> According to SANS, "SolarWinds has published limited information in which they state they believe the build environment was compromised.” https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/
> 
> Let me restate this: it appears that the *source code* wasn’t compromised, and the *distribution* system wasn’t compromised. Instead, the *build system* was compromised. This is *EXACTLY*  the kind of attack that is countered by reproducible builds. Thus, the recent SolarWinds subversion is a very good argument for why it’s important to have reproducible builds (and to verify builds using reproducible builds).
> 
> I’ve read a number of articles about SolarWinds, and none of them mention reproducible builds, even though reproducible builds is clearly a countermeasure to this problem. Perhaps journalists will eventually learn about reproducible builds; that would be nice!

I agree that we need more visibility on the reprobuilds aspect of this
compromise. For my side (speaking as an in-toto maintainer), we've been
banging the drum on the use of reprobuilds to stop these types of
compromises. In fact, we generally say that, before securing the whole
chain, something like reprobuilds on the build stage precludes any type
of software supply chain security measures (I'm biting my tongue here
avoiding to use a "weakest link" type of metaphor).

Having said this. I think it's important as a community to highlight
that reproducibility is not sufficient if there is no checking of build
artifacts (and now I'm biting my tongue here trying to not mention
"trees falling in a forest when nobody is around"). This is why I'm
incredibly excited about rebuilderd, and I'd encourage everyone to put
more hands on deck on that project.

Personally, on most of the mentions of in-toto solving the solarwinds
attack, we mention that the policy enforcement of in-toto allows for
semantics describing reproducible (and authenticated) rebuilds from
trusted parties. It also allows to authenticate components in the build
environment (which may, or may not proect against this particular
attack)

To be a little bit more upfront: I think that we as a community
sometimes focus on "is this thing reproducible" and not on "how can I
use this to secure the ecosystem". I think it's been this way since
perahps the r-b summit on 2018.

Hell, to be even more upfront, we are at a great time of the year to
rethink our priorities and efforts now that the calendar year is about
to reset :)

What do you guys think?
-Santiago
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20201221/64097dd7/attachment.sig>


More information about the rb-general mailing list