[linux-elitists] Surveillance

Andy Bennett andyjpb at ashurst.eu.org
Sun Sep 8 09:41:34 PDT 2013


>> But what else needs to be worked on?  What gaps do people feel we have
>> that are cauing problems that we can solve with technological measures,
>> not just legal ones?
> A repository of deliberately subverted packages
> for some key components?   Not just to show what's
> possible when Bad Builds Happen to Good Software,
> and call attention to it, but to give people some
> real scenarios to work through.

What threat model are we really talking about with so called
"Deterministic Builds"?

When I worked in embedded software near the turn of the century we put
some effort into trying to detect meaningful differences is different
builds of the same source tree. i.e. ignoring timestamps but seeing what
different compilers did or different runs of the same compilers, etc.
(We failed miserably because we didn't have enough engineering time for it).

When I first heard of this "Deterministic Build" stuff again a few
months ago my first thought was to things such as the Thompson Bug.

Now some of the excitement^W hype has died down it seems like we might
just be talking about a threat model where an adversary manages to
inject an arbitrary binary into a distribution chain.

Of course, diff style tooling may also be able to detect variants of the
Thompson Bug, but do people think that finding that kind of technology
in the wild is a realistic prospect?


andyjpb at ashurst.eu.org

More information about the linux-elitists mailing list