Attack on SolarWinds could have been countered by reproducible builds

[Richard Purdie]

On Mon, 2020-12-21 at 15:57 -0500, David A. Wheeler wrote:
> I think these things need to happen in stages. Broadly:
> 1. Get key applications & libraries reproducible (assuming toolchains
> are okay)
> 2. Establish independent processes that *check* that the binaries are
> what they’re supposed to be.
> 3. Extend the work to more/all applications/libraries in given
> domains.
> 4. Work on verifying underlying toolchains, and again, creating
> independent processes that *check* the toolchain results (DDC &
> bootstrapping).
> 
> The long-term goal should be that “we can ensure that all OSS
> compiled code is accurately represented by its source code”. The
> source code may include malicious statements, but source code is what
> developers review, so we’ve fundamentally changed the game to ensure
> that “what is reviewed is what is run”.

Not sure its so long term for some of us!

With Yocto Project, what we now effectively have is a build from
"scratch" environment where the inputs are checksum validated and the
output bitwise reproducible.

I say "scratch" since we do assume a working host compiler and basic
tools (we have a list) which are used to build the cross compiler.

We are host system independent in that it doesn't matter which distro
you build on, or in which path, the output tarball containing "Linux"
is the same for anything inside OE-Core with a small number of
exceptions. OE-Core is about 800 pieces of software generating ~11,000
packages of which we have about 65 marked as not reproducible at
present. We're obviously working on improving those 65, and the
techniques used will "just work" to a large extend throughout our wider
layers of other software, we're just note testing that until we sort
the core.

The net result is multiple people on multiple different platforms can
run the build and generate the same result consistently. Our
autobuilder does run that exact test regularly.

Cheers,

Richard