SlideShare a Scribd company logo

You think you're not a target? A tale of three developers...

Speck&Tech
Speck&Tech

If you develop or distribute software of any kind, you are vulnerable to whole categories of attacks upon yourself or your loved ones. This includes blackmail, extortion or "just" simple malware injection… By targeting software developers such as yourself, malicious actors, including nefarious governments, can infect and attack thousands — if not millions — of end users. How can we avert this? The idea behind "reproducible" builds is to allow verification that no flaws have been introduced during build processes; this prevents against the installation of backdoor- introducing malware on developers' machines, ensuring attempts at extortion and other forms of subterfuge are quickly uncovered and thus ultimately futile. Through a story of three different developers, this talk will engage you on this growing threat to you and how it affects everyone involved in the production lifecycle of software development, as well as how reproducible builds can help prevent against it. BIO: Currently Project Leader of the Debian GNU/Linux project and a member of Board of Directors for the Open Source Initiative, Chris is a freelance computer programmer, author of dozens of free-software projects and contributor to 100s of others. He has been official Debian Developer since 2008 and is currently highly active in the Reproducible Builds sub-project. In his spare time he is an avid classical musician with a penchant for baroque music. Chris has spoken at numerous conferences including LinuxCon China, HKOSCon, linux.conf.au, DjangoCon Europe, LibrePlanet, OSCAL, All Things Open, SCALE, Software Freedom Kosovo, #freenode Live, DebConf, FOSS'ASIA, as well as given guest lectures at New York University Tandon School of Engineering & Cambridge University and is looking forward to sharing his enthusiasm with the Speck&Tech community.

Technology
1 of 46
Download to read offline
Chris LambChris Lamb @lolamby@lolamby chris@reproducible-builds.orgchris@reproducible-builds.org Speck&TechSpeck&Tech Trento, ItalyTrento, Italy 26th Febuary, 201926th Febuary, 2019
Debian Project Leader 2017— OpenSource.org board director Free so ware developer for 10+ years Freelance so ware developer
Three developers…Three developers…
AliceAlice
BobBob
← Caro← Caro
Eve →Eve →
General problemGeneral problem Can view source code for malicious flaws But users install pre-compiled packages Can we trust the compilation process?
Solution?Solution? 1. Start with the same source 2. Ensure builds always have identical results 3. Compare results
How does this help?How does this help? Alice → Blackmail will be uncovered Bob → Compromise detected Carol → Tampered laptop will be discovered Reduces incentive to attack in the first place
"Builds with the same dependencies"... ✖ "Reliable" builds... ✖ Identical build results
Wait…Wait…
Dictionary/hash/database ordering Parallelism in builds Timestamps Build paths Non-deterministic file ordering Users, groups, umask, environment variables, etc.
Other advantages?Other advantages?
Minimal diffs on "deliberate" changes Cache ratio — save time, money & CO2 Remove build-dependencies Finds bugs!
Predictable OpenID secretPredictable OpenID secret # Build.PL $build->config_data(OpenIDConsumerSecret=>int(1e15*rand())); Every installation of this build shares the same secret. # /usr/share/perl5/GBrowse/ConfigData.pm { 'OpenIDConsumerSecret' => '639098210478536', 'cgibin' => '/usr/lib/cgi-bin/gbrowse', 'conf' => '/etc/gbrowse', [..] },
Random characters in manpages?Random characters in manpages? -This manual page documents the usageoof WikipediaFS. +This manual page documents the usage of WikipediaFS. memcpy(&buf[1], &buf[2], strlen(buf)-1); memcpy(3): The memory areas must not overlap - memcpy(&buf[1], &buf[2], strlen(buf)-1); + memmove(&buf[1], &buf[2], strlen(buf)-1);
Fails to build 0.46% of the time?Fails to build 0.46% of the time? x = f(u('abc'), 16) y = f(u('abc'), 16) self.assertEqual(sorted(set(x)), [u('a'), u('b'), u('c')]) AssertionError: Lists differ: [u'a', u'b'] != [u'a', u'b', u'c'] (3C2)*(2/3)16 – (3C1)*(1/3)16 =~ 0.46%
Debian & Reproducible BuildsDebian & Reproducible Builds
"Torture test""Torture test" Time & date Hostname & domain name Filesystem (disorderfs) Timezone & locale uid & gid Kernel & CPU type
First rebuild in 2013 24% packages reproducible March 2018 93% packages reproducible
 
isdebianreproducibleyet.comisdebianreproducibleyet.com
Beyond Debian…Beyond Debian… coreboot, Fedora, LEDE, OpenWRT, NetBSD, FreeBSD, Archlinux, Qubes, F-Droid, NixOS, Guix, Meson, etc. Other projects using "Debian"'s testing framework Reproducible Builds summits (Athens, Berlin)
# diff -urNad file1 file2 --- file1 2017-06-18 12:37:03.179186661 +0800 +++ file2 2017-06-18 12:37:04.811193648 +0800 @@ -1 +1 @@ -This is the first file. +This is the second file.
https://diffoscope.org/
├── aspell-de_20131206-5_all.deb │ ├── metadata │ │ rw-r--r-- 0/0 4 Jun 11 16:19 2014 debian-binary │ │ -rw-r--r-- 0/0 2893 Jun 11 16:19 2014 control.tar.gz │ │ -rw-r--r-- 0/0 329600 Jun 11 16:19 2014 data.tar.xz │ │ +rw-r--r-- 0/0 2875 Jun 11 16:19 2014 control.tar.gz │ │ +rw-r--r-- 0/0 329596 Jun 11 16:19 2014 data.tar.xz │ ├── control.tar.gz │ │ ├── control.tar │ │ │ ├── md5sums │ │ │ │┄ Files in package differ │ ├── data.tar.xz │ │ ├── data.tar │ │ │ ├── ./usr/lib/aspell/de_affix.dat │ │ │ │ # │ │ │ │ -# Version: 20131206 (build 20150801) │ │ │ │ +# Version: 20131206 (build 20150802) │ │ │ │ # │ │ │ ├── ./usr/share/aspell/de-common.cwl.gz │ │ │ │ ├── metadata │ │ │ │ │ -gzip compressed data, last modified: Sat Aug 1 18:21 │ │ │ │ │ +gzip compressed data, last modified: Sat Aug 1 18:24
HTML outputHTML output
Android APK files, Android boot images, Ar(1) archives, Berkeley DB database files, Bzip2 archives, Character/block devices, ColorSync colour profiles (.icc), Coreboot CBFS filesystem images, Cpio archives, Dalvik .dex files, Debian .buildinfo files, Debian .changes files, Debian source packages (.dsc), Device Tree Compiler blob files, Directories, ELF binaries, Ext2/ext3/ext4/btrfs filesystems, FreeDesktop Fontconfig cache files, FreePascal files (.ppu), Gettext message catalogues, GHC Haskell .hi files, GIF image files, Git repositories, GNU R database files (.rdb), GNU R Rscript files (.rds), Gnumeric spreadsheets, Gzipped files, ISO 9660 CD images, Java .class files, JavaScript files, JPEG images, JSON files, LLVM IR bitcode files, MacOS binaries, Microso Windows icon files, Microso Word .docx files, Mono 'Portable Executable' files, Ogg Vorbis audio files, OpenOffice .odt files, OpenSSH public keys, OpenWRT package archives (.ipk), PDF documents, PGP signed/encrypted messages, PNG images, PostScript documents, RPM archives, Rust object files (.deflate), SQLite databases, SquashFS filesystems, Statically-linked binaries, Symlinks, Tape archives (.tar), Tcpdump capture files (.pcap), Text files, TrueType font files, XML binary schemas (.xsb), XML files, XZ compressed files, etc.
try.diffoscope.orgtry.diffoscope.org
Show differences in security uploads diffoscope ≠ definition of reproducible! Binary blobs (eg. images for routers / IoT devices)
What's le to do?What's le to do?
Source codeSource code Programming errors Backdoors / obfusticated code Weak algorithms Code with "testing" modes
$ apt install python-pywt-doc Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: python-pywt-doc 0 upgraded, 1 newly installed, 0 to remove and 4 not upgrad Need to get 102 kB of archives. After this operation, 978 kB of additional disk space will WARNING: The following packages are not reproducible! python-pywt-doc Install these packages anyway? [y/N]
Toolchain fixes (GCC, Go, R) Infrastructure changes Improving developer tools Mandating Debian packages be reproducible? Defeating Trusting Trust…?
Get involved!Get involved! Visit: Follow: @ReproBuilds on Twitter Join: #reproducible-builds (OFTC) reproducible-builds.org
Grazie!Grazie! @lolamby@lolamby lamby@debian.orglamby@debian.org chris-lamb.co.ukchris-lamb.co.uk reproducible-builds.orgreproducible-builds.org

Recommended

Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Anne Nicolas
 
Linux
LinuxLinux
Linuxahmed sami
 
Intro to Python programming and iPython
Intro to Python programming and iPython Intro to Python programming and iPython
Intro to Python programming and iPython Bioinformatics and Computational Biosciences Branch
 
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)William Liang
 
Quick Guide with Linux Command Line
Quick Guide with Linux Command LineQuick Guide with Linux Command Line
Quick Guide with Linux Command LineAnuchit Chalothorn
 
UNIX Basics and Cluster Computing
UNIX Basics and Cluster ComputingUNIX Basics and Cluster Computing
UNIX Basics and Cluster ComputingBioinformatics and Computational Biosciences Branch
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdwebuploader
 
Kernel Recipes 2016 - The kernel report
Kernel Recipes 2016 - The kernel reportKernel Recipes 2016 - The kernel report
Kernel Recipes 2016 - The kernel reportAnne Nicolas
 

Recommended

Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Anne Nicolas
 
Linux
LinuxLinux
Linuxahmed sami
 
Intro to Python programming and iPython
Intro to Python programming and iPython Intro to Python programming and iPython
Intro to Python programming and iPython Bioinformatics and Computational Biosciences Branch
 
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)William Liang
 
Quick Guide with Linux Command Line
Quick Guide with Linux Command LineQuick Guide with Linux Command Line
Quick Guide with Linux Command LineAnuchit Chalothorn
 
UNIX Basics and Cluster Computing
UNIX Basics and Cluster ComputingUNIX Basics and Cluster Computing
UNIX Basics and Cluster ComputingBioinformatics and Computational Biosciences Branch
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdwebuploader
 
Kernel Recipes 2016 - The kernel report
Kernel Recipes 2016 - The kernel reportKernel Recipes 2016 - The kernel report
Kernel Recipes 2016 - The kernel reportAnne Nicolas
 
Browsing The Source Code of Linux Packages
Browsing The Source Code of Linux PackagesBrowsing The Source Code of Linux Packages
Browsing The Source Code of Linux PackagesMotaz Saad
 
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s going
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s goingKernel Recipes 2016 - Kernel documentation: what we have and where it’s going
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s goingAnne Nicolas
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
Embedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devicesEmbedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devicesLars Gregori
 
securing_syslog_onFreeBSD
securing_syslog_onFreeBSDsecuring_syslog_onFreeBSD
securing_syslog_onFreeBSDwebuploader
 
Linux introduction (eng)
Linux introduction (eng)Linux introduction (eng)
Linux introduction (eng)Anatoliy Okhotnikov
 
101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystems101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystemsAcácio Oliveira
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinESET
 
Basic commands
Basic commandsBasic commands
Basic commandsambilivava
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on LinuxAnton Chuvakin
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Basic 50 linus command
Basic 50 linus commandBasic 50 linus command
Basic 50 linus commandMAGNA COLLEGE OF ENGINEERING
 
Linux distribution for the cloud
Linux distribution for the cloudLinux distribution for the cloud
Linux distribution for the cloudPeter Eisentraut
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
Managing your data - Introduction to Linux for bioinformatics
Managing your data - Introduction to Linux for bioinformaticsManaging your data - Introduction to Linux for bioinformatics
Managing your data - Introduction to Linux for bioinformaticsBITS
 
Debian packaging
Debian packagingDebian packaging
Debian packagingDimitris Tsompanidis
 
Linux powerpoint
Linux powerpointLinux powerpoint
Linux powerpointbijanshr
 
Linux: An Unbeaten Empire
Linux: An Unbeaten EmpireLinux: An Unbeaten Empire
Linux: An Unbeaten EmpireYogesh Sharma
 
Linux commands
Linux commands Linux commands
Linux commands debashis rout
 
AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!Zubair Nabi
 
The Lives of Others: Open-Source Development Practices Elsewhere
The Lives of Others: Open-Source Development Practices ElsewhereThe Lives of Others: Open-Source Development Practices Elsewhere
The Lives of Others: Open-Source Development Practices ElsewherePeter Eisentraut
 
Foss Presentation
Foss PresentationFoss Presentation
Foss PresentationAhmed Mekkawy
 

More Related Content

What's hot

Browsing The Source Code of Linux Packages
Browsing The Source Code of Linux PackagesBrowsing The Source Code of Linux Packages
Browsing The Source Code of Linux PackagesMotaz Saad
 
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s going
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s goingKernel Recipes 2016 - Kernel documentation: what we have and where it’s going
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s goingAnne Nicolas
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
Embedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devicesEmbedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devicesLars Gregori
 
securing_syslog_onFreeBSD
securing_syslog_onFreeBSDsecuring_syslog_onFreeBSD
securing_syslog_onFreeBSDwebuploader
 
101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystems101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystemsAcácio Oliveira
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinESET
 
Basic commands
Basic commandsBasic commands
Basic commandsambilivava
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on LinuxAnton Chuvakin
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Linux distribution for the cloud
Linux distribution for the cloudLinux distribution for the cloud
Linux distribution for the cloudPeter Eisentraut
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
Managing your data - Introduction to Linux for bioinformatics
Managing your data - Introduction to Linux for bioinformaticsManaging your data - Introduction to Linux for bioinformatics
Managing your data - Introduction to Linux for bioinformaticsBITS
 
Linux powerpoint
Linux powerpointLinux powerpoint
Linux powerpointbijanshr
 
Linux: An Unbeaten Empire
Linux: An Unbeaten EmpireLinux: An Unbeaten Empire
Linux: An Unbeaten EmpireYogesh Sharma
 
AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!Zubair Nabi
 

What's hot (20)

Browsing The Source Code of Linux Packages
Browsing The Source Code of Linux PackagesBrowsing The Source Code of Linux Packages
Browsing The Source Code of Linux Packages
 
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s going
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s goingKernel Recipes 2016 - Kernel documentation: what we have and where it’s going
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s going
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
Embedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devicesEmbedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devices
 
securing_syslog_onFreeBSD
securing_syslog_onFreeBSDsecuring_syslog_onFreeBSD
securing_syslog_onFreeBSD
 
Linux introduction (eng)
Linux introduction (eng)Linux introduction (eng)
Linux introduction (eng)
 
101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystems101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystems
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
 
Basic commands
Basic commandsBasic commands
Basic commands
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on Linux
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Basic 50 linus command
Basic 50 linus commandBasic 50 linus command
Basic 50 linus command
 
Linux distribution for the cloud
Linux distribution for the cloudLinux distribution for the cloud
Linux distribution for the cloud
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Managing your data - Introduction to Linux for bioinformatics
Managing your data - Introduction to Linux for bioinformaticsManaging your data - Introduction to Linux for bioinformatics
Managing your data - Introduction to Linux for bioinformatics
 
Debian packaging
Debian packagingDebian packaging
Debian packaging
 
Linux powerpoint
Linux powerpointLinux powerpoint
Linux powerpoint
 
Linux: An Unbeaten Empire
Linux: An Unbeaten EmpireLinux: An Unbeaten Empire
Linux: An Unbeaten Empire
 
Linux commands
Linux commands Linux commands
Linux commands
 
AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!
 

Similar to You think you're not a target? A tale of three developers...

The Lives of Others: Open-Source Development Practices Elsewhere
The Lives of Others: Open-Source Development Practices ElsewhereThe Lives of Others: Open-Source Development Practices Elsewhere
The Lives of Others: Open-Source Development Practices ElsewherePeter Eisentraut
 
Linux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of TechnologyLinux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of TechnologyNugroho Gito
 
How to became a Gentoo developer
How to became a Gentoo developerHow to became a Gentoo developer
How to became a Gentoo developeralice ferrazzi
 
Group project linux helix
Group project linux helixGroup project linux helix
Group project linux helixJeff Carroll
 
FreeBSD - LinuxExpo
FreeBSD - LinuxExpoFreeBSD - LinuxExpo
FreeBSD - LinuxExpowebuploader
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
16° punto Guia Nº2 Sena (Docente Lina P)
16° punto Guia Nº2 Sena (Docente Lina P)16° punto Guia Nº2 Sena (Docente Lina P)
16° punto Guia Nº2 Sena (Docente Lina P)Metal Heads
 
Python on FreeBSD
Python on FreeBSDPython on FreeBSD
Python on FreeBSDpycontw
 
How to install gentoo distributed
How to install gentoo distributedHow to install gentoo distributed
How to install gentoo distributedSongWang54
 
Lamp1
Lamp1Lamp1
Lamp1Reka
 
Lamp
LampLamp
LampReka
 
Intro To Linux
Intro To LinuxIntro To Linux
Intro To Linuxtechlug
 
Containers for Science and High-Performance Computing
Containers for Science and High-Performance ComputingContainers for Science and High-Performance Computing
Containers for Science and High-Performance ComputingDmitry Spodarets
 

Similar to You think you're not a target? A tale of three developers... (20)

The Lives of Others: Open-Source Development Practices Elsewhere
The Lives of Others: Open-Source Development Practices ElsewhereThe Lives of Others: Open-Source Development Practices Elsewhere
The Lives of Others: Open-Source Development Practices Elsewhere
 
Foss Presentation
Foss PresentationFoss Presentation
Foss Presentation
 
Linux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of TechnologyLinux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of Technology
 
How to became a Gentoo developer
How to became a Gentoo developerHow to became a Gentoo developer
How to became a Gentoo developer
 
Group project linux helix
Group project linux helixGroup project linux helix
Group project linux helix
 
FreeBSD - LinuxExpo
FreeBSD - LinuxExpoFreeBSD - LinuxExpo
FreeBSD - LinuxExpo
 
Edubooktraining
EdubooktrainingEdubooktraining
Edubooktraining
 
Linux basic
Linux basicLinux basic
Linux basic
 
Intro to linux
Intro to linuxIntro to linux
Intro to linux
 
Linux
Linux Linux
Linux
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
16° punto Guia Nº2 Sena (Docente Lina P)
16° punto Guia Nº2 Sena (Docente Lina P)16° punto Guia Nº2 Sena (Docente Lina P)
16° punto Guia Nº2 Sena (Docente Lina P)
 
Linux
LinuxLinux
Linux
 
Python on FreeBSD
Python on FreeBSDPython on FreeBSD
Python on FreeBSD
 
How to install gentoo distributed
How to install gentoo distributedHow to install gentoo distributed
How to install gentoo distributed
 
Lamp1
Lamp1Lamp1
Lamp1
 
Lamp1
Lamp1Lamp1
Lamp1
 
Lamp
LampLamp
Lamp
 
Intro To Linux
Intro To LinuxIntro To Linux
Intro To Linux
 
Containers for Science and High-Performance Computing
Containers for Science and High-Performance ComputingContainers for Science and High-Performance Computing
Containers for Science and High-Performance Computing
 

More from Speck&Tech

What should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futuresWhat should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futuresSpeck&Tech
 
Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"Speck&Tech
 
AWS: gestire la scalabilità su larga scala
AWS: gestire la scalabilità su larga scalaAWS: gestire la scalabilità su larga scala
AWS: gestire la scalabilità su larga scalaSpeck&Tech
 
Praticamente... AWS - Amazon Web Services
Praticamente... AWS - Amazon Web ServicesPraticamente... AWS - Amazon Web Services
Praticamente... AWS - Amazon Web ServicesSpeck&Tech
 
Data Sense-making: navigating the world through the lens of information design
Data Sense-making: navigating the world through the lens of information designData Sense-making: navigating the world through the lens of information design
Data Sense-making: navigating the world through the lens of information designSpeck&Tech
 
Data Activism: data as rhetoric, data as power
Data Activism: data as rhetoric, data as powerData Activism: data as rhetoric, data as power
Data Activism: data as rhetoric, data as powerSpeck&Tech
 
Delve into the world of the human microbiome and metagenomics
Delve into the world of the human microbiome and metagenomicsDelve into the world of the human microbiome and metagenomics
Delve into the world of the human microbiome and metagenomicsSpeck&Tech
 
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...Speck&Tech
 
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...Speck&Tech
 
Why LLMs should be handled with care
Why LLMs should be handled with careWhy LLMs should be handled with care
Why LLMs should be handled with careSpeck&Tech
 
Building intelligent applications with Large Language Models
Building intelligent applications with Large Language ModelsBuilding intelligent applications with Large Language Models
Building intelligent applications with Large Language ModelsSpeck&Tech
 
Privacy in the era of quantum computers
Privacy in the era of quantum computersPrivacy in the era of quantum computers
Privacy in the era of quantum computersSpeck&Tech
 
Machine learning with quantum computers
Machine learning with quantum computersMachine learning with quantum computers
Machine learning with quantum computersSpeck&Tech
 
Give your Web App superpowers by using GPUs
Give your Web App superpowers by using GPUsGive your Web App superpowers by using GPUs
Give your Web App superpowers by using GPUsSpeck&Tech
 
From leaf to orbit: exploring forests with technology
From leaf to orbit: exploring forests with technologyFrom leaf to orbit: exploring forests with technology
From leaf to orbit: exploring forests with technologySpeck&Tech
 
Innovating Wood
Innovating WoodInnovating Wood
Innovating WoodSpeck&Tech
 
Behind the scenes of our everyday Internet: the role of an IXP like MIX
Behind the scenes of our everyday Internet: the role of an IXP like MIXBehind the scenes of our everyday Internet: the role of an IXP like MIX
Behind the scenes of our everyday Internet: the role of an IXP like MIXSpeck&Tech
 
Architecting a 35 PB distributed parallel file system for science
Architecting a 35 PB distributed parallel file system for scienceArchitecting a 35 PB distributed parallel file system for science
Architecting a 35 PB distributed parallel file system for scienceSpeck&Tech
 
Truck planning: how to certify the right route
Truck planning: how to certify the right routeTruck planning: how to certify the right route
Truck planning: how to certify the right routeSpeck&Tech
 
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...Speck&Tech
 

More from Speck&Tech (20)

What should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futuresWhat should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futures
 
Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"
 
AWS: gestire la scalabilità su larga scala
AWS: gestire la scalabilità su larga scalaAWS: gestire la scalabilità su larga scala
AWS: gestire la scalabilità su larga scala
 
Praticamente... AWS - Amazon Web Services
Praticamente... AWS - Amazon Web ServicesPraticamente... AWS - Amazon Web Services
Praticamente... AWS - Amazon Web Services
 
Data Sense-making: navigating the world through the lens of information design
Data Sense-making: navigating the world through the lens of information designData Sense-making: navigating the world through the lens of information design
Data Sense-making: navigating the world through the lens of information design
 
Data Activism: data as rhetoric, data as power
Data Activism: data as rhetoric, data as powerData Activism: data as rhetoric, data as power
Data Activism: data as rhetoric, data as power
 
Delve into the world of the human microbiome and metagenomics
Delve into the world of the human microbiome and metagenomicsDelve into the world of the human microbiome and metagenomics
Delve into the world of the human microbiome and metagenomics
 
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
 
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
 
Why LLMs should be handled with care
Why LLMs should be handled with careWhy LLMs should be handled with care
Why LLMs should be handled with care
 
Building intelligent applications with Large Language Models
Building intelligent applications with Large Language ModelsBuilding intelligent applications with Large Language Models
Building intelligent applications with Large Language Models
 
Privacy in the era of quantum computers
Privacy in the era of quantum computersPrivacy in the era of quantum computers
Privacy in the era of quantum computers
 
Machine learning with quantum computers
Machine learning with quantum computersMachine learning with quantum computers
Machine learning with quantum computers
 
Give your Web App superpowers by using GPUs
Give your Web App superpowers by using GPUsGive your Web App superpowers by using GPUs
Give your Web App superpowers by using GPUs
 
From leaf to orbit: exploring forests with technology
From leaf to orbit: exploring forests with technologyFrom leaf to orbit: exploring forests with technology
From leaf to orbit: exploring forests with technology
 
Innovating Wood
Innovating WoodInnovating Wood
Innovating Wood
 
Behind the scenes of our everyday Internet: the role of an IXP like MIX
Behind the scenes of our everyday Internet: the role of an IXP like MIXBehind the scenes of our everyday Internet: the role of an IXP like MIX
Behind the scenes of our everyday Internet: the role of an IXP like MIX
 
Architecting a 35 PB distributed parallel file system for science
Architecting a 35 PB distributed parallel file system for scienceArchitecting a 35 PB distributed parallel file system for science
Architecting a 35 PB distributed parallel file system for science
 
Truck planning: how to certify the right route
Truck planning: how to certify the right routeTruck planning: how to certify the right route
Truck planning: how to certify the right route
 
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

You think you're not a target? A tale of three developers...

  • 2. Debian Project Leader 2017— OpenSource.org board director Free so ware developer for 10+ years Freelance so ware developer
  • 3.
  • 6.
  • 7.
  • 11.
  • 12. General problemGeneral problem Can view source code for malicious flaws But users install pre-compiled packages Can we trust the compilation process?
  • 13. Solution?Solution? 1. Start with the same source 2. Ensure builds always have identical results 3. Compare results
  • 14.
  • 15.
  • 16.
  • 17. How does this help?How does this help? Alice → Blackmail will be uncovered Bob → Compromise detected Carol → Tampered laptop will be discovered Reduces incentive to attack in the first place
  • 18. "Builds with the same dependencies"... ✖ "Reliable" builds... ✖ Identical build results
  • 20. Dictionary/hash/database ordering Parallelism in builds Timestamps Build paths Non-deterministic file ordering Users, groups, umask, environment variables, etc.
  • 22. Minimal diffs on "deliberate" changes Cache ratio — save time, money & CO2 Remove build-dependencies Finds bugs!
  • 23. Predictable OpenID secretPredictable OpenID secret # Build.PL $build->config_data(OpenIDConsumerSecret=>int(1e15*rand())); Every installation of this build shares the same secret. # /usr/share/perl5/GBrowse/ConfigData.pm { 'OpenIDConsumerSecret' => '639098210478536', 'cgibin' => '/usr/lib/cgi-bin/gbrowse', 'conf' => '/etc/gbrowse', [..] },
  • 24. Random characters in manpages?Random characters in manpages? -This manual page documents the usageoof WikipediaFS. +This manual page documents the usage of WikipediaFS. memcpy(&buf[1], &buf[2], strlen(buf)-1); memcpy(3): The memory areas must not overlap - memcpy(&buf[1], &buf[2], strlen(buf)-1); + memmove(&buf[1], &buf[2], strlen(buf)-1);
  • 25. Fails to build 0.46% of the time?Fails to build 0.46% of the time? x = f(u('abc'), 16) y = f(u('abc'), 16) self.assertEqual(sorted(set(x)), [u('a'), u('b'), u('c')]) AssertionError: Lists differ: [u'a', u'b'] != [u'a', u'b', u'c'] (3C2)*(2/3)16 – (3C1)*(1/3)16 =~ 0.46%
  • 26. Debian & Reproducible BuildsDebian & Reproducible Builds
  • 27. "Torture test""Torture test" Time & date Hostname & domain name Filesystem (disorderfs) Timezone & locale uid & gid Kernel & CPU type
  • 28. First rebuild in 2013 24% packages reproducible March 2018 93% packages reproducible
  • 29.  
  • 31. Beyond Debian…Beyond Debian… coreboot, Fedora, LEDE, OpenWRT, NetBSD, FreeBSD, Archlinux, Qubes, F-Droid, NixOS, Guix, Meson, etc. Other projects using "Debian"'s testing framework Reproducible Builds summits (Athens, Berlin)
  • 32. # diff -urNad file1 file2 --- file1 2017-06-18 12:37:03.179186661 +0800 +++ file2 2017-06-18 12:37:04.811193648 +0800 @@ -1 +1 @@ -This is the first file. +This is the second file.
  • 33.
  • 34.
  • 36. ├── aspell-de_20131206-5_all.deb │ ├── metadata │ │ rw-r--r-- 0/0 4 Jun 11 16:19 2014 debian-binary │ │ -rw-r--r-- 0/0 2893 Jun 11 16:19 2014 control.tar.gz │ │ -rw-r--r-- 0/0 329600 Jun 11 16:19 2014 data.tar.xz │ │ +rw-r--r-- 0/0 2875 Jun 11 16:19 2014 control.tar.gz │ │ +rw-r--r-- 0/0 329596 Jun 11 16:19 2014 data.tar.xz │ ├── control.tar.gz │ │ ├── control.tar │ │ │ ├── md5sums │ │ │ │┄ Files in package differ │ ├── data.tar.xz │ │ ├── data.tar │ │ │ ├── ./usr/lib/aspell/de_affix.dat │ │ │ │ # │ │ │ │ -# Version: 20131206 (build 20150801) │ │ │ │ +# Version: 20131206 (build 20150802) │ │ │ │ # │ │ │ ├── ./usr/share/aspell/de-common.cwl.gz │ │ │ │ ├── metadata │ │ │ │ │ -gzip compressed data, last modified: Sat Aug 1 18:21 │ │ │ │ │ +gzip compressed data, last modified: Sat Aug 1 18:24
  • 38. Android APK files, Android boot images, Ar(1) archives, Berkeley DB database files, Bzip2 archives, Character/block devices, ColorSync colour profiles (.icc), Coreboot CBFS filesystem images, Cpio archives, Dalvik .dex files, Debian .buildinfo files, Debian .changes files, Debian source packages (.dsc), Device Tree Compiler blob files, Directories, ELF binaries, Ext2/ext3/ext4/btrfs filesystems, FreeDesktop Fontconfig cache files, FreePascal files (.ppu), Gettext message catalogues, GHC Haskell .hi files, GIF image files, Git repositories, GNU R database files (.rdb), GNU R Rscript files (.rds), Gnumeric spreadsheets, Gzipped files, ISO 9660 CD images, Java .class files, JavaScript files, JPEG images, JSON files, LLVM IR bitcode files, MacOS binaries, Microso Windows icon files, Microso Word .docx files, Mono 'Portable Executable' files, Ogg Vorbis audio files, OpenOffice .odt files, OpenSSH public keys, OpenWRT package archives (.ipk), PDF documents, PGP signed/encrypted messages, PNG images, PostScript documents, RPM archives, Rust object files (.deflate), SQLite databases, SquashFS filesystems, Statically-linked binaries, Symlinks, Tape archives (.tar), Tcpdump capture files (.pcap), Text files, TrueType font files, XML binary schemas (.xsb), XML files, XZ compressed files, etc.
  • 40. Show differences in security uploads diffoscope ≠ definition of reproducible! Binary blobs (eg. images for routers / IoT devices)
  • 41. What's le to do?What's le to do?
  • 42. Source codeSource code Programming errors Backdoors / obfusticated code Weak algorithms Code with "testing" modes
  • 43. $ apt install python-pywt-doc Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: python-pywt-doc 0 upgraded, 1 newly installed, 0 to remove and 4 not upgrad Need to get 102 kB of archives. After this operation, 978 kB of additional disk space will WARNING: The following packages are not reproducible! python-pywt-doc Install these packages anyway? [y/N]
  • 44. Toolchain fixes (GCC, Go, R) Infrastructure changes Improving developer tools Mandating Debian packages be reproducible? Defeating Trusting Trust…?
  • 45. Get involved!Get involved! Visit: Follow: @ReproBuilds on Twitter Join: #reproducible-builds (OFTC) reproducible-builds.org