----- Forwarded message from "D. Joe"
begin Greg KH quotation of Sat, Sep 07, 2013 at 09:14:31PM -0700:
But what else needs to be worked on? What gaps do people feel we have that are cauing problems that we can solve with technological measures, not just legal ones?
A repository of deliberately subverted packages for some key components? Not just to show what's possible when Bad Builds Happen to Good Software, and call attention to it, but to give people some real scenarios to work through.
A little less . . . equinimity . . . in the face of unauditable blobs, maybe? Getting back to deterministic builds, Eugen has mentioned Tor's efforts with regard to deterministic builds, and I think we get the nugget of what deterministic builds entail in the context of a single system vis a vis a centralized repository, but consider: https://blog.torproject.org/category/tags/deterministic-builds Working out the conventions for this could diffuse the targets of malefactors' subversion attempts against source repositories, against binary repositories, and against build environments. Think of it, perhaps, as a web-of-trust applied to the build process, or DVCS meets web-of-trust meets grid computing. A great deal of the "build from source" enthusiasm revolves around making customized builds. To the extent that these are one-off efforts (even if done on a grand scale, as Marc has described), they don't yield to distributed end-to-end auditing of the code, from source to object. With the ability to compare the code at each end of the build toolchain, perhaps subcommunities of interest will have more incentive to share details of their more specialized efforts: So they can groom each other for bugs in the build environment. -- Joe On ceding power to tech companies: http://xkcd.com/1118/ man screen | grep -A2 weird A weird imagination is most useful to gain full advantage of all the features. _______________________________________________ Do not Cc: anyone else on mail sent to this list. The list server is set for maximum one recipient. linux-elitists mailing list linux-elitists@zgp.org http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5