Stretching out for trustworthy reproducible builds creating bit by bit identical binaries
-
Not SyncedWelcome and good morning
-
Not SyncedThis is the reproducible builds team,
talking about -
Not Synced"Stretching out towards trustworthy
computing" -
Not Synced[Applause]
-
Not SyncedWe're 4 on stage, but actually this is a
team effort. -
Not SyncedAll these people listed here have
contributed to the project at one point. -
Not SyncedThe 4 of us, that's
-
Not SyncedLunar − me
-
Not Syncedthere's Dhole,
-
Not SyncedChris Lamb − lamby
-
Not Syncedand Holger.
-
Not SyncedBut actually, this is DebConf and so a lot
more of us have been or are -
Not Syncedcurrently here and so, if you want to
thank anybody that is working on this -
Not Syncedyou need to actually thank all of
these folks -
Not Synced'cause, yay.
-
Not Synced[Applause]
-
Not Synced[Holger] The people in blue are here.
-
Not Synced[Lunar] Let's get started.
-
Not SyncedQuick ??? on what we're talking
about. -
Not SyncedWe have software, it's made from source.
-
Not SyncedSource is readable by humans or at least
a good amount of humans. -
Not SyncedIn this room it's good.
-
Not SyncedBinary, readable by computer and some
tiny fraction of humanity. -
Not SyncedGoing from source to binary is called
build, or like building or compiling -
Not Syncedand we're doing free software and
free software is awesome because -
Not Syncedwe can actually run these binaries like
we want -
Not SyncedWe can actually study the software, how
it's been made by studying the source -
Not Syncedand by studying the source we can assess
that it does what it's supposed to do -
Not Syncedand not something else that does not
-
Not Syncedhave malware, or trojans or security bugs
-
Not SyncedSo we have the binary that can be used,
fine. -
Not SyncedWe have the source that can be verified.
-
Not SyncedProblem is that right now, the only way we
know that a binary that we get… -
Not SyncedWe have to trust a website or a Debian
repository that says -
Not Synced"Well, this binary has been made with this
source" -
Not SyncedBut there's no way we can actually prove
that. -
Not SyncedThis is actually a problem that has been
well explained by -
Not SyncedMike Perry and Seth Schoen at the 31c3
in Hamburg last december. -
Not SyncedFor example, Seth Schoen made a proof of
concept exploit for the Linux kernel -
Not Syncedthat when GCC was called, the kernel would
without modifying anything on the disk -
Not Syncedwhen the kernel detects that GCC is going
to read a C file, it will insert some -
Not Syncedextra lines of code, and these lines of
code can be a very bad thing -
Not Syncedin the case of 31c3 talk I was just
recalling. -
Not SyncedActually, you can even have developpers
who are in very good faith, who have -
Not Syncedtotally secure dev machines, or they
thought they have, -
Not Syncedwho have reviewed all their source code
for any bugs -
Not Syncedand we would still get totally owned as
soon as their computer gets compromised -
Not Syncedor one of the build demons from Debian
gets compromised for example. -
Not SyncedThis is not, like, hypothetical threats
here we're discussing -
Not SyncedA couple of months after Seth an Mike's
talk at 31c3, -
Not Syncedthe Intercept revealed from the Snowden
leaks -
Not Syncedthat at a CIA conference in 2012, one
of the talks that happened -
Not Syncedwas about a project called Strawhorse.
-
Not SyncedStrawhorse is about modifying Apple XCode,
which is the development environment -
Not Syncedfor MacOS 10 and iOS applications
-
Not Syncedand well, they were modifying XCode so
it would produce, -
Not Syncedwithout the developer knowing,
-
Not Syncedbinaries with trojans, malware,
??? binaries, lots of bad things. -
Not SyncedSo, solution:
-
Not Syncedenable anyone to reproduce identical
binary packages from a given source. -
Not SyncedBecause if using a source, using the same
environment, -
Not Syncedmultiple people on different computers, on
different networks, at different times, -
Not Syncedcan all get the same thing
from the same source -
Not Syncedall the same binary, byte for byte,
-
Not Syncedthen there's a good chance that…
-
Not SyncedWell, everybody could be owned,
but let's be more joyful and say that -
Not Syncedprobably, if everybody gets the same
result, there was actually no problem -
Not Syncedand everybody is safe.
-
Not SyncedWe call that solution
"reproducible builds" -
Not SyncedYay.
-
Not Synced[Applause]
-
Not SyncedActually, it's not only about security.
-
Not SyncedFor Debian, we have, if you're doing
"Multi-arch: same" packages, -
Not Syncedwell they only have the same bytes if
they are built for different architectures, -
Not Syncedthe files in the package.
-
Not SyncedDebug packages, you can create at a later
time, if you forgot to have debug packages -
Not Syncedin the first place,
-
Not Syncedyou can pass the no-strip option later and
because the package is reproducible, -
Not Syncedyou will get the debug symbols that work
for software that has been shipped already -
Not SyncedWe do early detection of FTBFS that way
-
Not Syncedbecause if we try pretty quickly
to reproduce a build, -
Not Syncedthen it has to work.
Debconf
Show all
