Attack on SolarWinds could have been countered by reproducible builds

Hans-Christoph Steiner hans at
Wed Jan 13 12:02:56 UTC 2021

Yeah, a short writeup on RB in the context of the SolarWinds attack would be 
great to have, especially now that more details are coming out.  Its quite an 
impressive hack, it even cleans up after itself:

> To prevent detection, Sunburst’s creators “included a hash verification check” to ensure the injected malicious code “is compatible with a known source file”. Once the build process was complete, Sunburst waited for MsBuild.exe to exit “before restoring the original source code and deleting the temporary InventoryManager.bk file” containing its malicious code, now compiled into the Orion product.


David Kleuker:
> it don't help much to rant on this ML where all people know what reproducible builds are. instead contacting all those journalists that did not mention it has a chance to change the current status.
> a publication on about this incident would also be helpful to share the link
> next time this happens, journalists would at least know they COULD mention it
> kind regards
> David Kleuker
>> Chris Lamb <chris at> hat am 21.12.2020 15:30 geschrieben:
>> David A. Wheeler wrote:
>>> Let me restate this: it appears that the *source code* wasn’t
>>> compromised, and the *distribution* system wasn’t compromised. Instead,
>>> the *build system* was compromised.
>> Thanks for this, David. You are absolutely right that this is exactly
>> what Reproducible Builds was 'designed' for to begin with. An ironic
>> hurrah that this kind of attack is getting more visibility these days.
>> Another thanks for the press references too -- I will make good use of
>> them when writing our next monthly report. (Alas, if it wasn't the
>> holiday season I might be tempted to suggest that we do a specific
>> publicity boost based on this..)
>> Regards,
>> --
>>        o
>>      ⬋   ⬊      Chris Lamb
>>     o     o 💠
>>      ⬊   ⬋
>>        o

PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556

More information about the rb-general mailing list