(lwn.net)

764 points bertman | 4 comments | 26 Mar 25 17:22 UTC | HN request time: 0.001s | source

Show context

abdullahkhalids ◴[26 Mar 25 18:22 UTC] No.43485194[source]▶

Is the build infrastructure for Debian also reproducible? It seems like we if someone wants to inject malware in Debian package binaries (without injecting them into the source), they have to target the build infrastructure (compilers, linkers and whatever wrapper code is written around them).

Also, is someone else also compiling these images, so we have evidence that the Debian compiling servers were not compromised?

replies(5): >>43485310 #>>43485572 #>>43485619 #>>43486186 #>>43492801 #

1. paulddraper ◴[26 Mar 25 19:37 UTC] No.43486186[source]▶

>>43485194 #

A la xz.

You must ultimately root trust in some set of binaries and any hardware that you use.

replies(1): >>43486993 #

2. XorNot ◴[26 Mar 25 20:35 UTC] No.43486993[source]▶

>>43486186 (TP) #

For user space? No you can definitely do a stage 0 build which depends only on about 364 bytes of x86_64 binary (though ironically I haven't managed to get this to work for me yet).

The liability is EFI underneath that, and the Intel ring -1 stuff (which we should be mandating is open source).

replies(1): >>43493434 #

3. paulddraper ◴[27 Mar 25 13:30 UTC] No.43493434[source]▶

>>43486993 #

> which depends only on about 364 bytes of x86_64 binary

replies(1): >>43494146 #

4. jesboat ◴[27 Mar 25 14:40 UTC] No.43494146{3}[source]▶

>>43493434 #

that's the point at which you say (reasonably accurately) that the 364 byte thing is written in machine code. it is small enough to manually translate between the binary and asm

↑

Debian bookworm live images now reproducible