Debian bookworm live images now reproducible

(lwn.net)

764 points bertman | 1 comments | 26 Mar 25 17:22 UTC | HN request time: 0s | source

Show context

abdullahkhalids ◴[26 Mar 25 18:22 UTC] No.43485194[source]▶

Is the build infrastructure for Debian also reproducible? It seems like we if someone wants to inject malware in Debian package binaries (without injecting them into the source), they have to target the build infrastructure (compilers, linkers and whatever wrapper code is written around them).

Also, is someone else also compiling these images, so we have evidence that the Debian compiling servers were not compromised?

replies(5): >>43485310 #>>43485572 #>>43485619 #>>43486186 #>>43492801 #

layer8 ◴[26 Mar 25 18:58 UTC] No.43485619[source]▶

>>43485194 #

And what about the hardware on which the build runs? Is it reproducible? ;)

replies(5): >>43486069 #>>43486115 #>>43486158 #>>43486241 #>>43488837 #

1. TacticalCoder ◴[26 Mar 25 23:43 UTC] No.43488837[source]▶

>>43485619 #

> And what about the hardware on which the build runs? Is it reproducible? ;)

"Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers"

https://dwheeler.com/trusting-trust/

If the build is reproducible inside VMs, then the build can be done on different architectures: say x86 and ARM. If we end up with the same live image, then we're talking something entirely different altogether: either both x86 and ARM are backdoored the same way or the attack is software. Or there's no backdoor (which is a possibility we have to fancy too).

↑