You think you're not a target? A tale of three developers...
1 like447 views
The document discusses the importance of reproducible builds in software development to ensure that compiled packages are trustworthy and free from malicious alterations. It highlights the need for identical build results, outlines steps to achieve determinism in builds, and presents the progress made by the Debian project towards achieving reproducibility. Additionally, it encourages participation in reproducible builds initiatives and lists other projects engaged in similar efforts.
![Predictable OpenID secretPredictable OpenID secret
# Build.PL
$build->config_data(OpenIDConsumerSecret=>int(1e15*rand()));
Every installation of this build shares the same secret.
# /usr/share/perl5/GBrowse/ConfigData.pm
{
'OpenIDConsumerSecret' => '639098210478536',
'cgibin' => '/usr/lib/cgi-bin/gbrowse',
'conf' => '/etc/gbrowse',
[..]
},](https://image.slidesharecdn.com/2019-02-26-speck-and-tech-unstableurl-190308080317/85/You-think-you-re-not-a-target-A-tale-of-three-developers-23-320.jpg)
![Random characters in manpages?Random characters in manpages?
-This manual page documents the usageoof WikipediaFS.
+This manual page documents the usage of WikipediaFS.
memcpy(&buf[1], &buf[2], strlen(buf)-1);
memcpy(3): The memory areas must not overlap
- memcpy(&buf[1], &buf[2], strlen(buf)-1);
+ memmove(&buf[1], &buf[2], strlen(buf)-1);](https://image.slidesharecdn.com/2019-02-26-speck-and-tech-unstableurl-190308080317/85/You-think-you-re-not-a-target-A-tale-of-three-developers-24-320.jpg)
![Fails to build 0.46% of the time?Fails to build 0.46% of the time?
x = f(u('abc'), 16)
y = f(u('abc'), 16)
self.assertEqual(sorted(set(x)), [u('a'), u('b'), u('c')])
AssertionError: Lists differ: [u'a', u'b'] != [u'a', u'b', u'c']
(3C2)*(2/3)16 – (3C1)*(1/3)16 =~ 0.46%](https://image.slidesharecdn.com/2019-02-26-speck-and-tech-unstableurl-190308080317/85/You-think-you-re-not-a-target-A-tale-of-three-developers-25-320.jpg)
![$ apt install python-pywt-doc
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
python-pywt-doc
0 upgraded, 1 newly installed, 0 to remove and 4 not upgrad
Need to get 102 kB of archives.
After this operation, 978 kB of additional disk space will
WARNING: The following packages are not reproducible!
python-pywt-doc
Install these packages anyway? [y/N]](https://image.slidesharecdn.com/2019-02-26-speck-and-tech-unstableurl-190308080317/85/You-think-you-re-not-a-target-A-tale-of-three-developers-43-320.jpg)
You think you're not a target? A tale of three developers...
- 1. Chris LambChris Lamb @lolamby@lolamby chris@reproducible-builds.orgchris@reproducible-builds.org Speck&TechSpeck&Tech Trento, ItalyTrento, Italy 26th Febuary, 201926th Febuary, 2019
- 2. Debian Project Leader 2017— OpenSource.org board director Free so ware developer for 10+ years Freelance so ware developer
- 5. AliceAlice
- 8. BobBob
- 9. ← Caro← Caro
- 10. Eve →Eve →
- 12. General problemGeneral problem Can view source code for malicious flaws But users install pre-compiled packages Can we trust the compilation process?
- 13. Solution?Solution? 1. Start with the same source 2. Ensure builds always have identical results 3. Compare results
- 17. How does this help?How does this help? Alice → Blackmail will be uncovered Bob → Compromise detected Carol → Tampered laptop will be discovered Reduces incentive to attack in the first place
- 18. "Builds with the same dependencies"... ✖ "Reliable" builds... ✖ Identical build results
- 19. Wait…Wait…
- 20. Dictionary/hash/database ordering Parallelism in builds Timestamps Build paths Non-deterministic file ordering Users, groups, umask, environment variables, etc.
- 22. Minimal diffs on "deliberate" changes Cache ratio — save time, money & CO2 Remove build-dependencies Finds bugs!
- 23. Predictable OpenID secretPredictable OpenID secret # Build.PL $build->config_data(OpenIDConsumerSecret=>int(1e15*rand())); Every installation of this build shares the same secret. # /usr/share/perl5/GBrowse/ConfigData.pm { 'OpenIDConsumerSecret' => '639098210478536', 'cgibin' => '/usr/lib/cgi-bin/gbrowse', 'conf' => '/etc/gbrowse', [..] },
- 24. Random characters in manpages?Random characters in manpages? -This manual page documents the usageoof WikipediaFS. +This manual page documents the usage of WikipediaFS. memcpy(&buf[1], &buf[2], strlen(buf)-1); memcpy(3): The memory areas must not overlap - memcpy(&buf[1], &buf[2], strlen(buf)-1); + memmove(&buf[1], &buf[2], strlen(buf)-1);
- 25. Fails to build 0.46% of the time?Fails to build 0.46% of the time? x = f(u('abc'), 16) y = f(u('abc'), 16) self.assertEqual(sorted(set(x)), [u('a'), u('b'), u('c')]) AssertionError: Lists differ: [u'a', u'b'] != [u'a', u'b', u'c'] (3C2)*(2/3)16 – (3C1)*(1/3)16 =~ 0.46%
- 26. Debian & Reproducible BuildsDebian & Reproducible Builds
- 27. "Torture test""Torture test" Time & date Hostname & domain name Filesystem (disorderfs) Timezone & locale uid & gid Kernel & CPU type
- 28. First rebuild in 2013 24% packages reproducible March 2018 93% packages reproducible
- 31. Beyond Debian…Beyond Debian… coreboot, Fedora, LEDE, OpenWRT, NetBSD, FreeBSD, Archlinux, Qubes, F-Droid, NixOS, Guix, Meson, etc. Other projects using "Debian"'s testing framework Reproducible Builds summits (Athens, Berlin)
- 32. # diff -urNad file1 file2 --- file1 2017-06-18 12:37:03.179186661 +0800 +++ file2 2017-06-18 12:37:04.811193648 +0800 @@ -1 +1 @@ -This is the first file. +This is the second file.
- 36. ├── aspell-de_20131206-5_all.deb │ ├── metadata │ │ rw-r--r-- 0/0 4 Jun 11 16:19 2014 debian-binary │ │ -rw-r--r-- 0/0 2893 Jun 11 16:19 2014 control.tar.gz │ │ -rw-r--r-- 0/0 329600 Jun 11 16:19 2014 data.tar.xz │ │ +rw-r--r-- 0/0 2875 Jun 11 16:19 2014 control.tar.gz │ │ +rw-r--r-- 0/0 329596 Jun 11 16:19 2014 data.tar.xz │ ├── control.tar.gz │ │ ├── control.tar │ │ │ ├── md5sums │ │ │ │┄ Files in package differ │ ├── data.tar.xz │ │ ├── data.tar │ │ │ ├── ./usr/lib/aspell/de_affix.dat │ │ │ │ # │ │ │ │ -# Version: 20131206 (build 20150801) │ │ │ │ +# Version: 20131206 (build 20150802) │ │ │ │ # │ │ │ ├── ./usr/share/aspell/de-common.cwl.gz │ │ │ │ ├── metadata │ │ │ │ │ -gzip compressed data, last modified: Sat Aug 1 18:21 │ │ │ │ │ +gzip compressed data, last modified: Sat Aug 1 18:24
- 38. Android APK files, Android boot images, Ar(1) archives, Berkeley DB database files, Bzip2 archives, Character/block devices, ColorSync colour profiles (.icc), Coreboot CBFS filesystem images, Cpio archives, Dalvik .dex files, Debian .buildinfo files, Debian .changes files, Debian source packages (.dsc), Device Tree Compiler blob files, Directories, ELF binaries, Ext2/ext3/ext4/btrfs filesystems, FreeDesktop Fontconfig cache files, FreePascal files (.ppu), Gettext message catalogues, GHC Haskell .hi files, GIF image files, Git repositories, GNU R database files (.rdb), GNU R Rscript files (.rds), Gnumeric spreadsheets, Gzipped files, ISO 9660 CD images, Java .class files, JavaScript files, JPEG images, JSON files, LLVM IR bitcode files, MacOS binaries, Microso Windows icon files, Microso Word .docx files, Mono 'Portable Executable' files, Ogg Vorbis audio files, OpenOffice .odt files, OpenSSH public keys, OpenWRT package archives (.ipk), PDF documents, PGP signed/encrypted messages, PNG images, PostScript documents, RPM archives, Rust object files (.deflate), SQLite databases, SquashFS filesystems, Statically-linked binaries, Symlinks, Tape archives (.tar), Tcpdump capture files (.pcap), Text files, TrueType font files, XML binary schemas (.xsb), XML files, XZ compressed files, etc.
- 40. Show differences in security uploads diffoscope ≠ definition of reproducible! Binary blobs (eg. images for routers / IoT devices)
- 41. What's le to do?What's le to do?
- 42. Source codeSource code Programming errors Backdoors / obfusticated code Weak algorithms Code with "testing" modes
- 43. $ apt install python-pywt-doc Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: python-pywt-doc 0 upgraded, 1 newly installed, 0 to remove and 4 not upgrad Need to get 102 kB of archives. After this operation, 978 kB of additional disk space will WARNING: The following packages are not reproducible! python-pywt-doc Install these packages anyway? [y/N]
- 44. Toolchain fixes (GCC, Go, R) Infrastructure changes Improving developer tools Mandating Debian packages be reproducible? Defeating Trusting Trust…?
- 45. Get involved!Get involved! Visit: Follow: @ReproBuilds on Twitter Join: #reproducible-builds (OFTC) reproducible-builds.org