On Thu, Dec 06, 2018 at 03:25:05AM -0500, grarpamp wrote:
[1] You can't even say those for the release iso's of OpenBSD, FreeBSD, the Linux's, etc... back to their claimed source code repos... because either those repos have no internal cryptographic roots or hashes to sign over or with in the first place, or some process in the path from there to the iso's is not reproducible or cryptographically chained.
Git style signed content hash chains and reproducible builds FTW muffaluggerahs! So Debian Buster is over 90%, yay!
From 2015 80%:
Lots of progress for Debian's reproducible builds https://lwn.net/Articles/630074/ To Buster ~92.4%: https://isdebianreproducibleyet.com/ “NO! … but buster on amd64 is 92.4% reproducible right now!” To pretty dang gud bruh!: Debian reproducible builds project update, 2017-07-23, Stretch/amd64 reaching 94% https://lwn.net/Articles/728599/ And some nice summary sheetskis and chartskis: https://tests.reproducible-builds.org/debian/reproducible.html https://wiki.debian.org/ReproducibleBuilds
Same goes for Apple, Microsoft, Intel, AMD, ARM, Government, etc... You're all still woefully fucked therein because you keep buying the Kool-Aid, and refusing to demand, fix, ignore, or eliminate them and their issues.
#OpenFabs , #OpenHW , #OpenSW , #OpenDev , #OpenBiz , #CryptoCurrency , #Anarchism
Indeed.
The list of requisites to even get close to improving the situation grows...
Improvement in problem definition is necessary, and is not an "increase" in the requisites to e.g. security of personal communications, simply a fuller understanding of the problem. Alt: we are rising from ignorance. Painful but necessary awareness. Let's add to the above list another obvious in hindsight: #StackMinimization - including HW - i.e. trust boundaries (nee attack surfaces) must be seriously minimized to reach something we can collectively reason about in its elements (hw/ sw).