How to talk to skeptics?
FC Stegerman
flx at obfusk.net
Wed Dec 21 16:47:24 UTC 2022
* "Bernhard M. Wiedemann via rb-general" <rb-general at lists.reproducible-builds.org> [2022-12-14 20:30]:
> a colleague of mine is rather skeptic towards bootstrapping and
> reproducible-builds.
> [...]
> In the end, it would be useful to collect some well-worded / well-thought
> counter-arguments on r-b.o (if we don't have that already)
> [...]
> Any thoughts and/or volunteers?
One aspect that I think only Tristan van Berkom explicitly mentioned
[1] so far is IMO quite important: bit-by-bit identical binaries must
behave identically (or at least if they don't we know the problem lies
elsewhere).
Even if reproducible builds cannot provide 100% protection against
malicious subversion, we know that bit-by-bit identical binaries
cannot behave differently, whether through subversion or accident.
There can be no bug present in one but not the other, whether the
cause is malicious or simply a non-deterministic build process -- or
even a random bitflip -- producing subtly different binaries.
Non-determinism often hides bugs or makes them harder to find. With
RB, you know that any change in a program's behaviour must be caused
by a change in its source code and cannot be caused by a "random"
difference between different builds, making debugging easier.
- FC
[1] https://lists.reproducible-builds.org/pipermail/rb-general/2022-December/002789.html
More information about the rb-general
mailing list