How Debian Is Trying to Make Software Trustworthy Again

Name
Email
Subject
Comment *
File	Select/drop/paste files here
* = required field	[▶ Show post options & limits] Confused? See the FAQ.

Options	Do not bump (you can also write sage in the email field) Spoiler images (this replaces the thumbnails of your images with question marks)
Password	(For file and post deletion.)
Allowed file types:jpg, jpeg, gif, png, webm, mp4 Max filesize is 8 MB. Max image dimensions are 10000 x 10000. You may upload 1 per post.

How Debian Is Trying to Make Software Trustworthy Again /killcen/ 09/09/15 (Wed) 01:58:01 No.377

In response to the Snowden revelation that the CIA compromised Apple developers' build process, thus enabling the government to insert backdoors at compile time without developers realizing, Debian, the world's largest free software project, has embarked on a campaign to to prevent just such attacks. Debian's solution? Reproducible builds.

In a talk at Chaos Communication Camp in Zehdenick, Germany, earlier this month (full text here), Debian developer Jérémy Bobbio, better known as Lunar, told the audience how the Linux-based operating system is working to bring reproducible builds to all of its more than 22,000 software packages.

Reproducible builds, as the name suggests, make it possible for others to reproduce the build process. "The idea is to get reasonable confidence that a given binary was indeed produced by the source," Lunar said. "We want anyone to be able to produce identical binaries from a given source."

"We are not discussing a hypothetical attack here."

A software package reproducibly built should be byte for byte identical to the publicly-available package. Any difference would be evidence of tampering.

"The great thing with free software is that we have the freedom to study the source code," he said. "That it does not contain any malware, malicious code, or security bugs."

But how, Lunar asked, do we know that the compiled binary was built from the published source? How do we know the CIA, or other malicious attacker, has not tampered with the build process?

"We are not discussing a hypothetical attack here," he said. "This is a real attack. We are talking about developers in totally good faith producing software, the binary they would give you, and even if they are of good faith, we could be totally owned."

Reproducible builds are already a staple of Bitcoin and the Tor Project. Many other free software projects, including FreeBSD, NetBSD, and OpenWrt, are moving in the same direction.

"This is a bad thing for the CIA and a good thing for us," Lunar said.

https://archive.is/QyT1M

http://motherboard.vice.com/read/how-debian-is-trying-to-shut-down-the-cia-and-make-software-trustworthy-again

/killcen/ 09/09/15 (Wed) 02:31:43 No.378

More on CIA planting backdoors in Apple products:

The CIA Campaign to Steal Apple’s Secrets

https://firstlook.org/theintercept/2015/03/10/ispy-cia-campaign-steal-apples-secrets/

http://www.infowars.com/new-snowden-documents-cia-has-spent-10-years-hacking-iphones-ipads/

NSA-CIA Apple DPA Cryptanalysis

http://cryptome.org/2015/03/nsa-apple-dpa-intercept-15-0309.zip

Anonymous 09/09/15 (Wed) 04:34:37 No.380

Thanks for the post /killcen/.

Anonymous 09/12/15 (Sat) 20:16:09 No.409

>Debian

>SystemD is the default

>secure

Signing packages, and reproducible builds doesn't fix the massive attack surface presented by the single controlling process that is called SystemD.

All it takes is one person compromising SystemD to own every SystemD Linux distribution.

The fact that SystemD contains services like ntp, dhcp, dns, and logind makes this a prime target for anyone trying to compromise a distribution that's built using SystemD userland.

If you want security, go with Gentoo or a BSD.