undefined | Better HN

0 pointssavolai1mo ago0 comments

” If you are wondering why we are doing this at all, then hopefully the Reproducible Builds website will explain why this is useful.”

https://reproducible-builds.org/

Could you perhaps respond to the argumentation here?

0 comments

12 comments · 3 top-level

dvogel1mo ago· 4 in thread

(Not OP, but...) I still fail to see the current value in confirming that a reproducing builder also included the same compromised dependency that I did when I built it. I understand that reproducible builds are guarding against dynamic attacks within build infrastructure. However I just don't see those happening. Compromised source dependencies are a 100x more common problem.

ckastner1mo ago

I agree that compromised source dependencies are the bigger problem, but that doesn't mean a compromised build infrastructure isn't. Just this last week, we had two Linux kernel LPEs that could have been leveraged to implement just such an attack, for example.

Another thing to consider is that Debian has quite a few derivatives who may also rebuild packages from source, so you have a multiplier there.

fsflover1mo ago

https://en.wikipedia.org/wiki/XZ_Utils_backdoor

PunchyHamster1mo ago

that's example of attack reproducible packages do not protect from, why you are linking it ?

2 more replies

mmooss1mo ago

https://news.ycombinator.com/item?id=48083768

PunchyHamster1mo ago· 3 in thread

I know why they are useful. I am arguing they are waste of time for effort involved.

Forcing devs to use hardware keys to sign commits/CI requests would be actual security improvement, thwarting many supply chain attacks that only worked coz the attacker got to developer credentials. Hardware keys at least have option to make some operations require physically pressing the key so there is chance developer will notice.

But thanks to reproducible builds, at least someone can... validate that the binary code of vulnerable package can be reproduced. Very fucking useful.

I am not saying it is useless. I am saying it is one of highest hanging fruits on security tree.

uecker1mo ago

A hardware key does not help if the developer's machine is compromised, as there is no change to understand what is signed anymore, or do you think the hardware key will show all the source code on its little display before signing?

With reproducible builds, you do not need to trust that the system that build the binary was not compromised, because this would be detected immediately.

Source compromises are still an issue, but there is a much bigger change that they are detected. Also if there is a compromise, reproducible builds allow you to later track it to the source. For an infected binary it is much more difficult to understand how it got there and what else might be compromised.

PunchyHamster1mo ago

The way at least YK works is that you can set it up that pressing a key is requires for signing so at least "silently steals creds and sends malicious code" case (which is vast majority of compromises) gets handled

> Also if there is a compromise, reproducible builds allow you to later track it to the source.

They do not. Git log and build logs allow for that.

Reproductive builds only have value after the source. They protect build servers from being compromised (and then only if some other uncompromised environment is also running verification passes), if the bug is at source reproductive builds are exactly as valuable as writing commit that was used for build in app's code/package metadata.

1 more reply

rstuart41331mo ago

> I know why they are useful. I am arguing they are waste of time for effort involved.

Not being reproducible is a bug.

There is no reason for a build to not be reproducible, but somehow we let the built binaries become infested with timestamps, login names and file system paths. We recently moved to reproducible builds at work, and discovered that our login names and local home directory paths were being shipped in every release. No one was was very happy about leaking PPI like that.

You may not consider it worth the effort, but you aren't the one putting in the effort so I'm not sure why that matters to you. It is very much worth the effort to those people doing the work. Debian is a do-orcracy and so the people doing the work get to make the decisions.

pseudohadamard1mo ago· 2 in thread

Sure. The site appears to be a bunch of warm-fuzzies that could apply to almost any other measure you take, it's nothing specific to reproducible builds. As the original poster said "There was no bug or attack on Debian since 2007 that reproducible packages would prevent". In fact, it could be argued that reproducible builds lead to a reduction in security, not an improvement: They give an attacker an exact fixed memory layout for all of the binaries, so if you develop something like a ROP exploit for a copy on your local system you know that exploit will work on every other system as well because the binary layout is identical. It's a perfect monoculture where everything is vulnerable to the same exploit. It seems to have been something created by geeks to impress other geeks, without any considerations for whether it has any actual benefit or not.

stabbles1mo ago

This comment is misinformed. Non-deterministic builds would also result in one tarball redistributed to all distro users. The ROP exploits don't work because of ASLR.

pseudohadamard1mo ago

ASLR makes ROP attacks harder, it doesn't stop them, as a great many successful attacks have demonstrated. Heck, bypassing ASLR is taught to students at MIT... can't find the direct link ATM but here's a student assignment, https://csg.csail.mit.edu/6.S983/labs/aslr/.

1 more reply

j / k navigate · click thread line to collapse

0 comments

12 comments · 3 top-level

dvogel1mo ago· 4 in thread

ckastner1mo ago

Another thing to consider is that Debian has quite a few derivatives who may also rebuild packages from source, so you have a multiplier there.

fsflover1mo ago

https://en.wikipedia.org/wiki/XZ_Utils_backdoor

PunchyHamster1mo ago

that's example of attack reproducible packages do not protect from, why you are linking it ?

2 more replies

mmooss1mo ago

https://news.ycombinator.com/item?id=48083768

PunchyHamster1mo ago· 3 in thread

I know why they are useful. I am arguing they are waste of time for effort involved.

But thanks to reproducible builds, at least someone can... validate that the binary code of vulnerable package can be reproduced. Very fucking useful.

I am not saying it is useless. I am saying it is one of highest hanging fruits on security tree.

uecker1mo ago

With reproducible builds, you do not need to trust that the system that build the binary was not compromised, because this would be detected immediately.

PunchyHamster1mo ago

> Also if there is a compromise, reproducible builds allow you to later track it to the source.

They do not. Git log and build logs allow for that.

1 more reply

rstuart41331mo ago

> I know why they are useful. I am arguing they are waste of time for effort involved.

Not being reproducible is a bug.

pseudohadamard1mo ago· 2 in thread

stabbles1mo ago

This comment is misinformed. Non-deterministic builds would also result in one tarball redistributed to all distro users. The ROP exploits don't work because of ASLR.

pseudohadamard1mo ago

1 more reply

j / k navigate · click thread line to collapse