On 2022-12-14, Bernhard M. Wiedemann via rb-general wrote: > a colleague of mine is rather skeptic towards bootstrapping and > reproducible-builds. > > E.g. he wrote > > https://fy.blackhats.net.au/blog/html/2021/05/12/compiler_bootstrapping_can_we_trust_rust.html
This seems to miss the point that the sources *are* auditable, even if after the fact, even if imperfectly, whereas the binaries are orders of magnitude harder to audit. Also curious how to address the bootstrapping problem if a compromised binary ever worked its way into your blind trust of the upstream provided binary compiler? Even if downstream distributions such as OpenSUSE bootstrap from a binary upstream compiler with each new rust version, I sure would hope that upstream can *prove* beyond a reasonable doubt that what they produced is legit in an auditable way... and while I am biased, it seems a bootstrappable and reproducible build is the best current known way to have very high confidence... That many people use rustup to install rust and nothing has (noticeably) gone horribly wrong yet does not win me over in any argument regarding security. The https://rustup.rs recommendation of: curl ... | sh ... is relying on the weakest link in the chain of "trusted" certificate authorities; a security vulnerability that is not so much a back door vulnerability, as a wide open front door with the lights on in the dead of night. The argument that you can't trust the source code is a valid and important concern, but outside the scope of reproducible builds, and there are ways of addressing that through peer review of source code, independent third-party review, and fastidious audit logs of who committed what. The bugdoor argument kind of falls down eventually, because logically, if someone can trivially inject plausible but incorrect source code (and well... I guess they can), why bother reviewing source code at all? Why bother tracking who committed it at all? Since it is impossible to perfectly review source code, may as well not do any kind of review at all... right? Uh, no. All review and auditing processes will catch some bugs, and all security measures raise the bar by some degree... using all known best practices will catch as much as we can plausibly catch with our non-infinite resources, despite being imperfect. I wonder if the reproducible builds focus on bit-for-bit identical perfection gets peoples head stuck in the idea of perfection in all ways? While bit-for-bit identical builds are possible, we do not claim it is absolute, incontrovertable proof of a perfect build. It just just one measure of confidence amoung many. A good measure, in my opinion, but just one tool. Compromised compilers most definitely have been released into the wild. It is getting a little old now, but XcodeGhost (a.k.a. Strawhorse) falls squarely into this category: https://en.wikipedia.org/wiki/XcodeGhost Even without more current examples, even though it is difficult to pull off... it is clearly possible, has been done, and been executed by well funded entities in the past... and is, by design, hard to detect. I have no reason to believe that was a one-off playground experiment. And yes, you eventually get down to how do you trust hardware... there are a lot of rabbit holes here, and at the end of the day, you need to prioritize what is the next important thing is, or what gets you the most value in the short, medium and long term. Bootstrappable and Reproducible Builds is probably more in the medium to long term realm... yet can demonstrate some benefits almost immediately... if you only focus on the short term, the long-term work will never happen. I daresay that what the world needs now is a bit more long-term thinking in general. > and the effect can also be seen in his packaging such as > https://build.opensuse.org/package/show/openSUSE:Factory/rust1.65 > that ships with two gigabytes of bootstrap compiler binaries for various > architectures instead of using our existing rust packages of version N-1 > "because compilation takes twice as long". > > He also once pointed me to > https://blog.cmpxchg8b.com/2020/07/you-dont-need-reproducible-builds.html And for a more light-hearted take... You don't *need* computers either. :) In a similar vein: https://xkcd.com/2368/ Especially I think the alt-text nailed it. > In the end, it would be useful to collect some well-worded / > well-thought counter-arguments on r-b.o (if we don't have that already) > > https://reproducible-builds.org/docs/buy-in/ could provide some input. > > Any thoughts and/or volunteers? I think Morten Linderud had really good points when this came up before: https://lists.reproducible-builds.org/pipermail/rb-general/2020-August/002008.html live well, vagrant
signature.asc
Description: PGP signature