Hi, One of the reproducible builds talk slides, showed a diff of OpenSSH before and after some off-by-one vulnerability was fixed.
Here's a real-world malicious backdoor in Juniper ScreenOS's sshd: https://community.rapid7.com/servlet/JiveServlet/showImage/38-7376-36434/ssh.png The yellow highlighted string allows login as any user. Full article: https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor Whilst this may have been added in source code, it was well-disguised in the disassembly and just 7 instructions long. I thought this was a good example of the current state-of-the-art, and why we'd like our binaries and eventually, installer and VM images reproducible IMHO. Regards, -- Steven Chamberlain ste...@pyro.eu.org
Description: Digital signature
_______________________________________________ Reproducible-builds mailing list Reproduciblefirstname.lastname@example.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds