Attack on SolarWinds could have been countered by reproducible builds

David A. Wheeler dwheeler at dwheeler.com
Mon Dec 21 20:57:59 UTC 2020



> On Dec 21, 2020, at 1:58 PM, Santiago Torres-Arias <santiago at archlinux.org> wrote:
> I agree that we need more visibility on the reprobuilds aspect of this
> compromise.

I don’t think it’s visible to *reporters* though.

> To be a little bit more upfront: I think that we as a community
> sometimes focus on "is this thing reproducible" and not on "how can I
> use this to secure the ecosystem".

It’s definitely time to clarify that.

I think these things need to happen in stages. Broadly:
1. Get key applications & libraries reproducible (assuming toolchains are okay)
2. Establish independent processes that *check* that the binaries are what they’re supposed to be.
3. Extend the work to more/all applications/libraries in given domains.
4. Work on verifying underlying toolchains, and again, creating independent processes that *check* the toolchain results (DDC & bootstrapping).

The long-term goal should be that “we can ensure that all OSS compiled code is accurately represented by its source code”. The source code may include malicious statements, but source code is what developers review, so we’ve fundamentally changed the game to ensure that “what is reviewed is what is run”.

--- David A. Wheeler

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20201221/c7864d8b/attachment.htm>


More information about the rb-general mailing list