• lemmyreader@lemmy.ml
    link
    fedilink
    English
    arrow-up
    16
    ·
    8 months ago

    Interesting development.

    A recent example is that reproducible builds allow for the creation of proof, simply by rebuilding and comparing the result, that a GCC build whose source was extracted with a compromised xz was not compromised; this process was achieved without needing to reverse engineer how the compromise occurred. Similarly, reproducible builds were reported as being usefully during investigations of the xz compromise.

    • ozymandias117@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      ·
      edit-2
      8 months ago

      As much as I love openSUSE, and reproducible builds are a core requirement for trusted computing…

      reproducible builds were reported as being useful

      Really buries the lede of the xz attack results

      either both are trojaned, or none

      Edit: It is very useful for the first half - to ensure new packages extracted by a compromised xz weren’t modified during the extraction.

      It’s just that reproducing the build of the tampered xz would still produce a bit-for-bit identical compromised version due to the way it modified the build system