This is important work, and I thank you for it. These public transparency logs are important for keeping honest people honest, but also for keeping dishonest people out - If someone does manage to backdoor Google's build process, this is how they'll know.
Why is this important work to you? Reproducible builds to me is a complete waste of engineering resources and times that could be used elsewhere. All of this work goes towards protecting against theoretical attacks rather than practical ones that are actually happening in the wild.
Distributing software is a lot harder than just building it (with the caveat that people don't want to install build dependencies).
So we rely on centralized distribution (and build).
Because of this we have to assume trust of that entire chain.
When builds are reproducible they are independently verifiable which means you only have to trust the code and not the entire distribution chain (build systems, storage, etc).
Of course if no one bothers to verify then it doesn't matter.
This is sort of how xz happened, no one verified that the release tarballs were what they were purported to be.
It’s great that these reproducible builds are possible and this is an incredibly thorough and careful validation. Thanks!
This is important work, and I thank you for it. These public transparency logs are important for keeping honest people honest, but also for keeping dishonest people out - If someone does manage to backdoor Google's build process, this is how they'll know.
Why is this important work to you? Reproducible builds to me is a complete waste of engineering resources and times that could be used elsewhere. All of this work goes towards protecting against theoretical attacks rather than practical ones that are actually happening in the wild.
Distributing software is a lot harder than just building it (with the caveat that people don't want to install build dependencies). So we rely on centralized distribution (and build). Because of this we have to assume trust of that entire chain.
When builds are reproducible they are independently verifiable which means you only have to trust the code and not the entire distribution chain (build systems, storage, etc).
Of course if no one bothers to verify then it doesn't matter. This is sort of how xz happened, no one verified that the release tarballs were what they were purported to be.
I know what reproducible builds are, but they do not solve practical problems. That are actively happening.
>This is sort of how xz happened
Reproducible builds wouldn't have caught this. You would reproduce the malicous library the same since the vulnerability is in the input.
Supply chain attacks are not theoretical! Just take a look at npm, docker and other repo lands.
Those attacks were not prevented by reproducible builds. Those supply chain attacks are the kind of things resources should be put into preventing.
They were completely preventable by independent verification. Just that without reproducible build you can't independently verify anything.
Repo of sourcespotter: https://github.com/SSLMate/sourcespotter
[dead]