Would this move by Debian, requiring byte-for-byte reproducible builds, have caught any real-world supply chain attacks seen in the past?
-
Would this move by Debian, requiring byte-for-byte reproducible builds, have caught any real-world supply chain attacks seen in the past?
In a Big Move to Linux Security, Debian Makes Reproducible Builds Mandatory
Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch.
It's FOSS (itsfoss.com)
-
R relay@relay.infosec.exchange shared this topicR relay@relay.mycrowd.ca shared this topic
-
Would this move by Debian, requiring byte-for-byte reproducible builds, have caught any real-world supply chain attacks seen in the past?
In a Big Move to Linux Security, Debian Makes Reproducible Builds Mandatory
Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch.
It's FOSS (itsfoss.com)
@dangoodin it would not have caught the xz attack. But is the point of reproducible builds more about consistency and reliability than security?
-
@dangoodin it would not have caught the xz attack. But is the point of reproducible builds more about consistency and reliability than security?
@kemotep @dangoodin it’s about being able to prove that the binary distribution matches the source code. If the source code is already tainted it won’t help.
-
@dangoodin it would not have caught the xz attack. But is the point of reproducible builds more about consistency and reliability than security?
@kemotep @dangoodin well, in the xz case, it was actually one of the main contributors who slipped in the attack. There is little that can be done against that.
-
R relay@relay.publicsquare.global shared this topic
