Login

Recent searches

No recent searches

Search options

Only available when logged in.
fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

10K
active users

fosstodon.org: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.6

Public
Matthew Garrett

Every semester I teach best practices around build pipelines, and every semester someone mentions SolarWinds, and if I, as a company, wanted to set up an entirely independent build pipeline that was entirely independent of the rest of my infrastructure and was managed by different people so I could build in two places and verify binary outputs were identical, how would I do that today? (Assume my build is already reproducible, let's not complicate things)

Brandon Mitchell

@mjg59 This triggered a lot of thoughts from me, and more than would fit in a post here, so I finally fired up the blog: bmitch.net/blog/2025-03-20-rep

Brandon Mitchell · Reproducible BuildsReproducible builds are an idealistic solution to many supply chain security challenges I see today. They eliminate an entire chain of attacks, from a compromised build infrastructure (see SolarWinds) to a compromised artifact distribution. But they are only a piece of the solution, and they are rarely implemented today. Here’s my take on what a complete solution would look like, and why no one is doing it. Theoretical Solution We need to clearly identify the source being built. This needs to be identified by an immutable hash (e.g. a git sha) and that hash needs signed attestations. Those attestations need to identify who produced the code, who reviewed it, and they are needed for the entire chain of commits in the source repository.
Mar 20, 2025, 06:07 PM·Public
13boosts·18favorites
Public
Ian Jackson

@bmitch Interesting writeup, which I largely agree with.

But if I may join in with @bjh21 's near-shitposting, Debian has solved these problems.

  1. Source code is signed, admittedly mostly in tarball form; git based approaches are disappointingly not yet widely used.

  2. Debian package builds are 100% hermetic - the dependencies are those installed in the build environment. For modern curl|bash-ware, Debian have gone to war against, and defeated, the language-specific package managers. (The battlefields are a cratered charnel house.)

  3. As Ben notes, there are already multiple rebuilders of Debian packages. The rebuilders don't need to worry so much about malicious inputs: there are no external inputs.

  4. Debian's QA systems already check reproducibility.

FTOAD, this probably isn't a very useful answer for @mjg59.

manpages.debian.orgdgit(1) — dgit — Debian bookworm — Debian Manpages
Public
Brandon Mitchell

@Diziet @bjh21 @mjg59
As a Debian user for several decades now, I continue to admire the work done by them. What they have now is a good detection system for compromised builders.

I propose moving from detection to prevention. The verification of a reproducible build should be run as part of the package installer at each endpoint. That will require 100% of packages to be reproducible (they're getting close) and rebuilders to publish their attestations to package repositories.

Public
Brandon Mitchell

@Diziet @bjh21 @mjg59 On the input side, there's a lot of work needed on scanning for malicious code. That should be a parallel effort so a single scanner cannot pass checks on a single system get permission to build everywhere.

ExploreLive feeds
About