If you develop or distribute software of any kind, you are vulnerable to whole categories of attacks upon yourself or your loved ones. This includes blackmail, extortion or "just" simple malware injection… By targeting software developers such as yourself, malicious actors, including nefarious governments, can infect and attack thousands — if not millions — of end users. How can we avert this? The idea behind "reproducible" builds is to allow verification that no flaws have been introduced during build processes; this prevents against the installation of backdoor- introducing malware on developers' machines, ensuring attempts at extortion and other forms of subterfuge are quickly uncovered and thus ultimately futile. Through a story of three different developers, this talk will engage you on this growing threat to you and how it affects everyone involved in the production lifecycle of software development, as well as how reproducible builds can help prevent against it.
BIO: Currently Project Leader of the Debian GNU/Linux project and a member of Board of Directors for the Open Source Initiative, Chris is a freelance computer programmer, author of dozens of free-software projects and contributor to 100s of others. He has been official Debian Developer since 2008 and is currently highly active in the Reproducible Builds sub-project. In his spare time he is an avid classical musician with a penchant for baroque music. Chris has spoken at numerous conferences including LinuxCon China, HKOSCon, linux.conf.au, DjangoCon Europe, LibrePlanet, OSCAL, All Things Open, SCALE, Software Freedom Kosovo, #freenode Live, DebConf, FOSS'ASIA, as well as given guest lectures at New York University Tandon School of Engineering & Cambridge University and is looking forward to sharing his enthusiasm with the Speck&Tech community.
12. General problemGeneral problem
Can view source code for malicious flaws
But users install pre-compiled packages
Can we trust the compilation process?
17. How does this help?How does this help?
Alice → Blackmail will be uncovered
Bob → Compromise detected
Carol → Tampered laptop will be discovered
Reduces incentive to attack in the first place
18. "Builds with the same dependencies"... ✖
"Reliable" builds... ✖
Identical build results
22. Minimal diffs on "deliberate" changes
Cache ratio — save time, money & CO2
Remove build-dependencies
Finds bugs!
23. Predictable OpenID secretPredictable OpenID secret
# Build.PL
$build->config_data(OpenIDConsumerSecret=>int(1e15*rand()));
Every installation of this build shares the same secret.
# /usr/share/perl5/GBrowse/ConfigData.pm
{
'OpenIDConsumerSecret' => '639098210478536',
'cgibin' => '/usr/lib/cgi-bin/gbrowse',
'conf' => '/etc/gbrowse',
[..]
},
24. Random characters in manpages?Random characters in manpages?
-This manual page documents the usageoof WikipediaFS.
+This manual page documents the usage of WikipediaFS.
memcpy(&buf[1], &buf[2], strlen(buf)-1);
memcpy(3): The memory areas must not overlap
- memcpy(&buf[1], &buf[2], strlen(buf)-1);
+ memmove(&buf[1], &buf[2], strlen(buf)-1);
25. Fails to build 0.46% of the time?Fails to build 0.46% of the time?
x = f(u('abc'), 16)
y = f(u('abc'), 16)
self.assertEqual(sorted(set(x)), [u('a'), u('b'), u('c')])
AssertionError: Lists differ: [u'a', u'b'] != [u'a', u'b', u'c']
(3C2)*(2/3)16 – (3C1)*(1/3)16 =~ 0.46%
31. Beyond Debian…Beyond Debian…
coreboot, Fedora, LEDE, OpenWRT, NetBSD, FreeBSD,
Archlinux, Qubes, F-Droid, NixOS, Guix, Meson, etc.
Other projects using "Debian"'s testing framework
Reproducible Builds summits (Athens, Berlin)
32. # diff -urNad file1 file2
--- file1 2017-06-18 12:37:03.179186661 +0800
+++ file2 2017-06-18 12:37:04.811193648 +0800
@@ -1 +1 @@
-This is the first file.
+This is the second file.
43. $ apt install python-pywt-doc
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
python-pywt-doc
0 upgraded, 1 newly installed, 0 to remove and 4 not upgrad
Need to get 102 kB of archives.
After this operation, 978 kB of additional disk space will
WARNING: The following packages are not reproducible!
python-pywt-doc
Install these packages anyway? [y/N]