- replies
- 1
- announces
- 0
- likes
- 0
@ska
Only if the reproducer uses the same compromised tool chain. The whole point of reproducible builds is that you can in fact use your own version of the tool chain and still get the same result.
Cc @reproducible_builds
Only if the reproducer uses the same compromised tool chain. The whole point of reproducible builds is that you can in fact use your own version of the tool chain and still get the same result.
Cc @reproducible_builds
@ska @reproducible_builds If I build a version of some reproducibly-built software using a compromised tool chain and you built it using a non compromised one, and you shared the relevant bits of the output with me, then we know that one of us has a fishy compiler and the trusting trust issues are discovered.
That still leaves figuring out what happened, of course, but you don't need to be an expert to get this far. With your method of auditing binaries, you do.
That still leaves figuring out what happened, of course, but you don't need to be an expert to get this far. With your method of auditing binaries, you do.
@ska @reproducible_builds Note that reproducible builds doesn't necessarily give you bit-for-bit identical binaries, and that's also not necessary. What they give you is a toolkit to figure out which changes are normal results of different build dependencies, and which ones aren't. Things like diffoscope, e.g.
@raboof @ska @reproducible_builds Sure; I meant to say that you can detect trusting trust issues without bit-by-bit identical binaries. Having those makes the detection even easier, of course!