-
Not Synced
I'm here today to talk to you about
diffoscope
-
Not Synced
and how you can use it as a better diff
-
Not Synced
or for Quality Assurance, etc., things
like that.
-
Not Synced
Moin!
-
Not Synced
Apparently that's like a north german
thing to say "welcome".
-
Not Synced
North german, north Denmark, Scandinavia,
that kind of thing, I'm told.
-
Not Synced
People are shaking their head, so I'm
going to assume that's true.
-
Not Synced
This is my first PC, an IBM 5155.
-
Not Synced
Sometimes, when you rebooted it, it would
launch into, it would somehow revert
-
Not Synced
from booting from the hard disk to booting
from a basic ROM,
-
Not Synced
as in the programming language ROM.
-
Not Synced
It was on my motherboard for some reason.
-
Not Synced
So, randomly, you just get a chance to
program in basic and then,
-
Not Synced
sometimes you wouldn't, I don't know why,
but… yeah.
-
Not Synced
It's quite fun with this kind of clicky
keyboard, and that folded in
-
Not Synced
and it was this kind of big desk thing.
-
Not Synced
Anyway…
-
Not Synced
This is my first Debian.
-
Not Synced
At the time it was already old.
-
Not Synced
What's this one? Is this Slink? 2.2?
Yeah.
-
Not Synced
And this is when we had US and non-US,
so that's really dating if you remember that.
-
Not Synced
This is my first contribution to Debian,
19th December 2006,
-
Not Synced
sending a patch to lillypond which is kind
of interesting
-
Not Synced
and the response was "Oh yeah, rock on,
many thanks. I'll upload this and
-
Not Synced
it'll be landing to Etch".
-
Not Synced
And this was super motivating because
Etch was just coming out and it was like
-
Not Synced
"Great, I've got let one line of tiny patch
in a release. This is super cool."
-
Not Synced
Thomas' response was super motivating.
-
Not Synced
So, after that, like that Christmas
basically spent ???
-
Not Synced
Debian webpages and stuff.
-
Not Synced
Very well timed.
-
Not Synced
That's kind of a good…
-
Not Synced
You know, someone sends a patch, be like
"Cool, thanks"
-
Not Synced
Like a little notice in the changelog.
-
Not Synced
It was, you know, so stupid but…
Yeah, do that kind of thing.
-
Not Synced
So, moving on.
-
Not Synced
Why diffoscope?
Why did we write diffoscope?
-
Not Synced
What's the background here?
-
Not Synced
It comes from reproducible builds.
-
Not Synced
The very quick outline is that once you
get the source code for free software,
-
Not Synced
you download the source code for nginx
or whatever,
-
Not Synced
pretty much everyone just runs binaries
on their servers or their systems.
-
Not Synced
You know, "apt install bla", "yum install",
whatever.
-
Not Synced
Android Playstore, whatever.
-
Not Synced
Can you actually trust whether these two
things correspond with each other?
-
Not Synced
You've gotten the source code, it looks
alright, and then you install this binary,
-
Not Synced
yeah…
-
Not Synced
Who generated that? Can you trust that
process?
-
Not Synced
Can you trust who generated it?
-
Not Synced
Even if you could trust them, could you
trust them not to be exploited? Etc.
-
Not Synced
This is a big problem because you can
exploit a build farm and then
-
Not Synced
obviously exploit all of that, you know,
a trojan into the build farm,
-
Not Synced
so every single binary that comes out
is compromised.
-
Not Synced
Kind of problematic.
-
Not Synced
You could also target individual developers
machines,
-
Not Synced
so I could go of to, say, your machine,
add a backdoor to it,
-
Not Synced
so every binary that you give to friends
and things like that,
-
Not Synced
are compromised in some way, stealing
your bitcoins or whatever.
-
Not Synced
I can also ???
and blackmail you into producing
-
Not Synced
software that has compromises or extra
features, shall we say,
-
Not Synced
that don't exist in the source code.
-
Not Synced
So what will happen there is that you'd
release your source
-
Not Synced
and the binaries you produce have
this sort of backdoor that, you know,
-
Not Synced
someone is forcing you into producing.
-
Not Synced
So, you don't want to do that.
-
Not Synced
Anyway
-
Not Synced
enough of that.
-
Not Synced
What you do for reproducible builds is you
ensure that every time you build
-
Not Synced
a piece of software, you get an identical
result.
-
Not Synced
Multiple people then compare their builds
and check whether they all get
-
Not Synced
the same results
-
Not Synced
and this means that an attacker must
either have infected everyone
-
Not Synced
at the same time, or they haven't
infected anyone.
-
Not Synced
The point here is that you have to ensure
that builds have identical results.
-
Not Synced
Ok, great.
-
Not Synced
So, we started the reproducible builds
project, etc.
-
Not Synced
And we build 2 debs.
-
Not Synced
Oh, I'm sorry about the colors there.
-
Not Synced
You probably can't see that.
-
Not Synced
That says "sha1sum a.deb b.deb".
-
Not Synced
Anyway, we're comparing the sha1sums
of 2 binary Debian files.
-
Not Synced
So, these two files differ.
-
Not Synced
Ok, they're not reproducible.
-
Not Synced
Why is that?
-
Not Synced
So we run a diff on them.
-
Not Synced
Yeah…
-
Not Synced
So, what can we learn from this?
-
Not Synced
Well, not very much, visibly they're
compressed so
-
Not Synced
as soon as we see one change, we'll see
they would just cascade changes
-
Not Synced
because that's how compression works.
-
Not Synced
I guess we know it's a deb ???
format file, not very useful.
-
Not Synced
Ok, great so we're gonna have a look in
-
Not Synced
We'll do a binary diff and ok, well…
-
Not Synced
Again, that's not really telling us
very much
-
Not Synced
with the diff there.
-
Not Synced
Ok, great.
-
Not Synced
???
-
Not Synced
"ar x" is on the new maintainer thing,
"how you unpack a deb"
-
Not Synced
Everyone remembers this, right?
-
Not Synced
You unpack a.deb with "ar x" and you
do that to b.deb
-
Not Synced
and then we diff the results of that.
-
Not Synced
Ok, so…yeah, 7zip.
-
Not Synced
Ok, compressed content, not very useful.
-
Not Synced
Ok, so let's unpack the control.tar inside
these debs.
-
Not Synced
And then we run diff on that.
-
Not Synced
Still not really telling anything useful
about how to make this package reproducible
-
Not Synced
So let's unpack the tar.xz into the tar.
-
Not Synced
Inside that tar, there's a file called
md5sums and we start to see some differences
-
Not Synced
between some files in these two debs.
-
Not Synced
??? meaningful, so now
we have some idea that
-
Not Synced
it has something to do with this
usr/bin/pmixer binary.
-
Not Synced
Ok, interesting.
-
Not Synced
We'll unzip that and then we do a diff on
pmixer itself.
-
Not Synced
Now we're back into just binary
??? mode
-
Not Synced
This isn't very helpful and this is taking
quite a while
-
Not Synced
and if I remember correctly, Debian has
a lot of packages.
-
Not Synced
So this might take a little while.
-
Not Synced
So, basically, ??? meme
-
Not Synced
I should build a better diff.
Debconf
