←back to thread

Debian bookworm live images now reproducible

(lwn.net)
764 points bertman | 1 comments | 26 Mar 25 17:22 UTC | HN request time: 0.248s | source
Show context
c0l0 ◴[26 Mar 25 17:43 UTC] No.43484720[source]
I never really understood the hype around reproducible builds. It seems to mostly be a vehicle to enable tivoization[0] while keeping users sufficiently calm. With reproducible buiilds, a vendor can prove to users that they did build $binary from $someopensourceproject, and then digitally sign the result so that it - and only it - would load and execute on the vendor-provided and/or vendor-controlled platform. But that still kills effective software freedom as long as I, the user, cannot do the same thing with my own build (whether it is unmodified or not) of $someopensourceproject.

Therefore, I side with Tavis Ormandy on this debate: https://web.archive.org/web/20210616083816/https://blog.cmpx...

[0]: https://en.wikipedia.org/wiki/Tivoization

replies(12): >>43484745 #>>43484754 #>>43484942 #>>43485078 #>>43485108 #>>43485155 #>>43485403 #>>43485551 #>>43485635 #>>43486702 #>>43487034 #>>43492779 #
oulipo ◴[26 Mar 25 17:45 UTC] No.43484754[source]
Reproducible builds are important also for: - caching artefacts - ensuring there's no malware somewhere that's been added in the build process
replies(2): >>43484893 #>>43484902 #
AceJohnny2 ◴[26 Mar 25 17:58 UTC] No.43484902[source]
> ensuring there's no malware somewhere that's been added in the build process

i.e. supply-chain safety

It doesn't entirely resolve Thompson's "Trusting Trust" problem, but it goes a long way.

replies(1): >>43485077 #
0cf8612b2e1e ◴[26 Mar 25 18:12 UTC] No.43485077[source]
Is it possible for mortals to rebuild gcc from scratch? Can I start with some minimal, auditable compiler (tcc?) and build up to a modern gcc? Or would it be some byzantine path where I need to compile gcc v1998, then perl, then Python 1.8, enabling you to compile gcc v2005, which lets you build Python2.3, etc.
replies(5): >>43485390 #>>43485858 #>>43487062 #>>43487064 #>>43487173 #
1. tetha ◴[26 Mar 25 19:16 UTC] No.43485858[source]
Mh. Though, if you have deterministic builds for GCC, imagine how much of a problem some nerd in Northern Washington or Scandinavia with their own strange C build chain would be to inject something strange into these compilers into the build process.

Like, you spend millions to get that one backdoor into the compiler. And then this guy is like "Uhm. Guys. I have this largely perl-based build process reproducing a modern GCC on a Pentium with 166 Mhz swapping RAM to disk because the motherboard can't hold that much memory. But the desk fan helps cooling. It takes about 2 months or 3 to build, but that's fine. I start it and then I work in the woods. It was identical to your releases about 5 times in the last 2 years (can't build more often), and now it isn't somewhere deep in the code sections. My arduino based floppy emulator is currently moving the binaries through the network"

Sure, it's a cyberpunk hero-fantasy, but deterministic builds would make these kind of shenanigans possible.

And at the end of the day, independent validation is one of the strongest ways to fight corruption.