How to talk to skeptics?

Vagrant Cascadian vagrant at reproducible-builds.org
Wed Dec 14 20:51:42 UTC 2022 

On 2022-12-14, Bernhard M. Wiedemann via rb-general wrote:
> a colleague of mine is rather skeptic towards bootstrapping and 
> reproducible-builds.
>
> E.g. he wrote
>
> https://fy.blackhats.net.au/blog/html/2021/05/12/compiler_bootstrapping_can_we_trust_rust.html

This seems to miss the point that the sources *are* auditable, even if
after the fact, even if imperfectly, whereas the binaries are orders of
magnitude harder to audit.

Also curious how to address the bootstrapping problem if a compromised
binary ever worked its way into your blind trust of the upstream
provided binary compiler?

Even if downstream distributions such as OpenSUSE bootstrap from a
binary upstream compiler with each new rust version, I sure would hope
that upstream can *prove* beyond a reasonable doubt that what they
produced is legit in an auditable way... and while I am biased, it seems
a bootstrappable and reproducible build is the best current known way to
have very high confidence...


That many people use rustup to install rust and nothing has (noticeably)
gone horribly wrong yet does not win me over in any argument regarding
security. The https://rustup.rs recommendation of:

  curl ... | sh

... is relying on the weakest link in the chain of "trusted" certificate
authorities; a security vulnerability that is not so much a back door
vulnerability, as a wide open front door with the lights on in the dead
of night.


The argument that you can't trust the source code is a valid and
important concern, but outside the scope of reproducible builds, and
there are ways of addressing that through peer review of source code,
independent third-party review, and fastidious audit logs of who
committed what.

The bugdoor argument kind of falls down eventually, because logically,
if someone can trivially inject plausible but incorrect source code (and
well...  I guess they can), why bother reviewing source code at all? Why
bother tracking who committed it at all? Since it is impossible to
perfectly review source code, may as well not do any kind of review at
all... right? Uh, no.

All review and auditing processes will catch some bugs, and all security
measures raise the bar by some degree... using all known best practices
will catch as much as we can plausibly catch with our non-infinite
resources, despite being imperfect.


I wonder if the reproducible builds focus on bit-for-bit identical
perfection gets peoples head stuck in the idea of perfection in all
ways? While bit-for-bit identical builds are possible, we do not claim
it is absolute, incontrovertable proof of a perfect build. It just just
one measure of confidence amoung many. A good measure, in my opinion,
but just one tool.


Compromised compilers most definitely have been released into the
wild. It is getting a little old now, but XcodeGhost (a.k.a. Strawhorse)
falls squarely into this category:

  https://en.wikipedia.org/wiki/XcodeGhost

Even without more current examples, even though it is difficult to pull
off... it is clearly possible, has been done, and been executed by well
funded entities in the past... and is, by design, hard to detect. I have
no reason to believe that was a one-off playground experiment.


And yes, you eventually get down to how do you trust hardware... there
are a lot of rabbit holes here, and at the end of the day, you need to
prioritize what is the next important thing is, or what gets you the
most value in the short, medium and long term.

Bootstrappable and Reproducible Builds is probably more in the medium to
long term realm... yet can demonstrate some benefits almost
immediately... if you only focus on the short term, the long-term work
will never happen. I daresay that what the world needs now is a bit more
long-term thinking in general.


> and the effect can also be seen in his packaging such as
> https://build.opensuse.org/package/show/openSUSE:Factory/rust1.65
> that ships with two gigabytes of bootstrap compiler binaries for various 
> architectures instead of using our existing rust packages of version N-1 
> "because compilation takes twice as long".
>
> He also once pointed me to
> https://blog.cmpxchg8b.com/2020/07/you-dont-need-reproducible-builds.html

And for a more light-hearted take...

You don't *need* computers either. :)

In a similar vein:

  https://xkcd.com/2368/

Especially I think the alt-text nailed it.


> In the end, it would be useful to collect some well-worded / 
> well-thought counter-arguments on r-b.o (if we don't have that already)
>
> https://reproducible-builds.org/docs/buy-in/ could provide some input.
>
> Any thoughts and/or volunteers?


I think Morten Linderud had really good points when this came up before:

  https://lists.reproducible-builds.org/pipermail/rb-general/2020-August/002008.html


live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20221214/d6f9285e/attachment.sig>

More information about the rb-general mailing list