[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Reproducible Build Summit
|
From: |
Manolis Ragkousis |
|
Subject: |
Re: Reproducible Build Summit |
|
Date: |
Sat, 5 Dec 2015 11:02:45 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 |
Hello Guix!
It was a great, productive, week and I would really like to thank
everyone that made this possible.
Now some things I want to add:
* Signatures challenges
We had a session on how each project signs the binaries it
distributes and ways to achieve build system compromise detection. Georg
from the Tor project told us about this paper
<https://isis.poly.edu/~jcappos/papers/samuel_tuf_ccs_2010.pdf> which
describes how we can secure a system against such attacks.
I discussed with Ludovic the need to have an automated system that will
continuously verify the binary outputs from multiple build sources so we
can find any possible malicious compromises.
But in order to do that we need to increase our build servers and/or
implement the peer to peer binary distribution (Remi?). More machines -
more builds to compare.
The above will also help in testing Guix reproducibility. Finally I will
help Holger install Guix on the ProfitBricks-sponsored machines.
* Authenticating code from a Git repo
Here I agree with Ludovic that we should find a way to do something
similar with Qubes, so we can at least be able to pinpoint a future
compromise if it happens.
That's what I wanted to add for now.
This was a great week, I learned a lot of new things from a great bunch
of smart and friendly people and I believe we should get a lot more
involved in this initiative.
Manolis.
0x8DF54C32.asc
Description: application/pgp-keys