lemmyreader@lemmy.ml
on 18 Apr 2024 19:51
collapse
Interesting development.
A recent example is that reproducible builds allow for the creation of proof, simply by
rebuilding and comparing the result, that a GCC build whose source was extracted with a
compromised xz was not compromised; this process was achieved without needing to
reverse engineer how the compromise occurred. Similarly, reproducible builds were
reported as being usefully during investigations of the xz compromise.
ozymandias117@lemmy.world
on 18 Apr 2024 21:16
collapse
As much as I love openSUSE, and reproducible builds are a core requirement for trusted computing…
reproducible builds were reported as being useful
Really buries the lede of the xz attack results
either both are trojaned, or none
Edit: It is very useful for the first half - to ensure new packages extracted by a compromised xz weren’t modified during the extraction.
It’s just that reproducing the build of the tampered xz would still produce a bit-for-bit identical compromised version due to the way it modified the build system
threaded - newest
Interesting development.
As much as I love openSUSE, and reproducible builds are a core requirement for trusted computing…
Really buries the lede of the xz attack results
Edit: It is very useful for the first half - to ensure new packages extracted by a compromised xz weren’t modified during the extraction.
It’s just that reproducing the build of the tampered xz would still produce a bit-for-bit identical compromised version due to the way it modified the build system