Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

[motherboard] How Debian Is Trying to Shut Down the CIA and Make Software Trustworthy Again

Industry news items concerning VPNs, darknets, crypto, surveillance and secure computing.
User avatar

Topic Author
parityboy
Site Admin
Posts: 1254
Joined: Wed Feb 05, 2014 3:47 am

[motherboard] How Debian Is Trying to Shut Down the CIA and Make Software Trustworthy Again

Postby parityboy » Mon Sep 14, 2015 7:54 pm

In response to the Snowden revelation that the CIA compromised Apple developers' build process, thus enabling the government to insert backdoors at compile time without developers realizing, Debian, the world's largest free software project, has embarked on a campaign to to prevent just such attacks. Debian's solution? Reproducible builds.

In a talk at Chaos Communication Camp in Zehdenick, Germany, earlier this month (full text here), Debian developer Jérémy Bobbio, better known as Lunar, told the audience how the Linux-based operating system is working to bring reproducible builds to all of its more than 22,000 software packages.

Reproducible builds, as the name suggests, make it possible for others to reproduce the build process. "The idea is to get reasonable confidence that a given binary was indeed produced by the source," Lunar said. "We want anyone to be able to produce identical binaries from a given source."


Source

User avatar

Topic Author
parityboy
Site Admin
Posts: 1254
Joined: Wed Feb 05, 2014 3:47 am

Re: [motherboard] How Debian Is Trying to Shut Down the CIA and Make Software Trustworthy Again

Postby parityboy » Tue Sep 15, 2015 9:33 pm

@thread

This is good step in the right direction, but doesn't address CINs - a .deb or .rpm transported over non-encrypted HTTP can still have its binaries supplanted in-flight, and nine times out of ten, the end user isn't going to check the hash value of every single binary in the package.

At best the most information you get given is the hash of the .deb or .rpm as a whole, and today's package managers are so quick and easy to use that the average user simply isn't going to go through /tmp or /var/tmp to manually check the contents of each .deb or .rpm. Nor are they going to download the source packages and build those themselves.

However having said all of this, I feel that reproducible builds are a good, solid foundation upon which to build an attestable platform of "assurance of origin" for software binaries.


Return to “crypto, VPN & security news”

Who is online

Users browsing this forum: Bing [Bot] and 11 guests

Login