Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 24 May 2023 22:57:39 +0200
From: Ludovic Courtès <ludo@....org>
To: Brian Behlendorf <brian@...lendorf.com>
Cc: oss-security@...ts.openwall.com
Subject: Attestation, reproducible builds, and bootstrapping

Hi,

Brian Behlendorf <brian@...lendorf.com> skribis:

> A clear and more formal way of understanding the different levels of
> attestation of one's build environment can be found in the SLSA
> specification. Here's a story about how Google Cloud incorporates it
> into build service:
>
> https://slsa.dev/blog/2022/12/gcb-slsa-verification
>
> Of course attestation is not proof, and even human certification can
> only go so far. Reproducible builds offer a path there but that goal
> seems just as far away as it was 20 years ago, when Java was going to
> solve that for us.

This is not true: reproducible builds are a reality for a number of
distros already and also upstream (for GNU Guix, we measure 85%
reproducibility on 22K packages; Debian might be even higher).

Bootstrapping has also gone a long way: Guix’s package graph is now
rooted in a 357-byte “binary”¹; everything else (with the exception of a
couple of bootstrap compilers such as GHC, for now) is built from
source, in isolated environments.  A similar bootstrap path is used by
freedesktop-sdk².

So I disagree that one has to resort to attestation and certification;
verifiability and auditability are evidently achievable and they provide
much stronger guarantees.

Ludo’.

¹ https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/
² https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/11557

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.