On Fri, 2008-08-29 at 12:07 +0200, Nils Philippsen wrote: > Build "reproducers" would have to use the exact > same versions for reproduction attempts. We keep the logs in Koji that tell us what versions and releases of packages were used to build things. > Keep in mind that this can lead to false negatives, i.e. if all > reproducers use the same compromised compiler package that someone > managed to sneak in -- this could realistically only show attacks on the > build system itself. Of course. The aim of this would only be prevention of a compromised build system and/or compromised Fedora key causing a distro wide disaster. Compromised source of an uploaded package and especially trojaned compilers are entirely different problems and are mostly beyond the scope of what distributed trust model is about (as presented here). I was only using David's compiler comment to illustrate that it is a good thing for a build to be deterministic. David seems to have developed a pretty good technique for tackling trojaned compilers (which distributors should be using regularly, IMHO). > I think that's a bit dangerous as malicious code could be designed in a > way that it's edited out before checksumming (make it look like you've > incorporated the kernel version). I would say that people that are capable of injecting malicious instructions streams into binaries of disparate CPUs that always read "2.6.25.14-108.fc9.i686" should be employed immediately ;-) But seriously, yeah, there is some danger in that. We could also rely on some kind of elfdiff or something else instead. There are ways. -- Bojan -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
