deejoe at etrumeus.com
Sun Sep 8 08:15:48 PDT 2013
On Sun, Sep 08, 2013 at 06:58:08AM -0700, Don Marti wrote:
> begin Greg KH quotation of Sat, Sep 07, 2013 at 09:14:31PM -0700:
> > But what else needs to be worked on? What gaps do people feel we have
> > that are cauing problems that we can solve with technological measures,
> > not just legal ones?
> A repository of deliberately subverted packages
> for some key components? Not just to show what's
> possible when Bad Builds Happen to Good Software,
> and call attention to it, but to give people some
> real scenarios to work through.
A little less . . . equinimity . . . in the face of unauditable blobs,
Getting back to deterministic builds, Eugen has mentioned Tor's efforts with
regard to deterministic builds, and I think we get the nugget of what
deterministic builds entail in the context of a single system vis a vis a
centralized repository, but consider:
Working out the conventions for this could diffuse the targets of
malefactors' subversion attempts against source repositories, against binary
repositories, and against build environments.
Think of it, perhaps, as a web-of-trust applied to the build process, or
DVCS meets web-of-trust meets grid computing.
A great deal of the "build from source" enthusiasm revolves around making
customized builds. To the extent that these are one-off efforts (even if
done on a grand scale, as Marc has described), they don't yield to
distributed end-to-end auditing of the code, from source to object.
With the ability to compare the code at each end of the build toolchain,
perhaps subcommunities of interest will have more incentive to share details
of their more specialized efforts: So they can groom each other for bugs in
the build environment.
Joe On ceding power to tech companies: http://xkcd.com/1118/
man screen | grep -A2 weird
A weird imagination is most useful to gain full advantage of
all the features.
More information about the linux-elitists