Attack on SolarWinds could have been countered by reproducible builds

Holger Levsen holger at layer-acht.org
Wed Dec 30 13:58:21 UTC 2020


hi,

On Mon, Dec 21, 2020 at 01:58:01PM -0500, Santiago Torres-Arias wrote:
> To be a little bit more upfront: I think that we as a community
> sometimes focus on "is this thing reproducible" and not on "how can I
> use this to secure the ecosystem".

I fully agree and believe this is due to us still encountering way too
many practical technial problems. It's really hard to think practically
about something which mostly only exists in theory.

I mean, the tails ISO is the only 'product' I'm aware of which can be
meaningfully verified currently. And probably some android apps too,
though alone fetching an .apk with adb from a phone and verifying it is nothing
I could recommend as 'easy' to anyone (except android hackers).

But for the big linux distros we aren't there yet. And thus it's very
hard to focus on user stories and to keep the focus there. At least that's
my explaination why we drift into details constantly.


-- 
cheers,
	Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁       holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
 ⠈⠳⣄

Life is short but a sea of morons is forever.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20201230/4c4b0cb6/attachment.sig>


More information about the rb-general mailing list