Long battle

Posted Mar 22, 2025 23:16 UTC (Sat) by linuxrocks123 (subscriber, #34648)
In reply to: Long battle by NYKevin
Parent article: Julien Malka proposes method for detecting XZ-like backdoors

When the proprietary world uses open source software, they either do it normally if they're smart or pay Red Hat / Oracle / SuSE / Canonical an arm and a leg and use whatever they are given by them if they are not. When the proprietary world forks something or builds something on top of something from the open source world, they can do it different ways, but one way they definitely will not do it is open a PR checking in the entire Chromium source tree and having another employee code review each of those million lines of code.

So, the proprietary world is not likely to do anything resembling the overengineered nonsense you propose because the proprietary world knows their employees' real names and addresses and therefore that they are probably not Russian spies, and they're not going to review their OSS dependencies or upstream codebases before checking them in anyway, so, if those dependencies have been infiltrated by Russian spies, signing the Russian spies' code won't add value.

Now, if your general point is "centralization is better because I can make everyone else do what I want", that mindset has a lot of other problems ... but that's a different conversation.

Long battle

Posted Mar 23, 2025 1:24 UTC (Sun) by NYKevin (subscriber, #129325) [Link] (4 responses)

> So, the proprietary world is not likely to do anything resembling the overengineered nonsense you propose

I find it utterly baffling when people tell me, citing no evidence whatsoever, that my employer does not do the exact thing that I personally experience on a day to day basis. I am not making up a hypothetical, I am telling you how Google actually develops software. See [1] if you don't believe me.

> but one way they definitely will not do it is open a PR checking in the entire Chromium source tree and having another employee code review each of those million lines of code.

There is tooling and automation to facilitate processes like this. It does not necessarily require a human to manually review every line of third-party code on first integration, especially if it comes from a reputable project that is known to have a serious process for finding and fixing vulnerabilities. It is enough for there to be some team of security professionals who can make policy judgments about which FOSS projects are trustworthy and which ones are going to require manual code review.

But regardless, the ultimate goal here is not just to get all of the code audited. It is to ensure that you have a standardized and hermetic build process, that isn't curl | bash or anything resembling curl | bash, and that can be subject to reproducibility and signing requirements in a centralized fashion.

[1]: https://bazel.build/about/faq#how_does_the_google_develop...

Long battle

Posted Mar 23, 2025 6:57 UTC (Sun) by pm215 (subscriber, #98099) [Link] (3 responses)

I think that the miscommunication is that you say "the proprietary world" when what you mean is "the absolutely gigantic tech firms, of which there are perhaps half a dozen". Much more of the proprietary world is smaller companies who do not have "invest in software tooling" as a corporate value the way Google does, but instead see infrastructure and tooling as a cost to be minimised.

IDK, I don't have much insight into internal processes at a wide range of companies: but I strongly suspect Google and the amount of investment Google can and will put into tooling is an outlier. Most companies do not write their own build systems!

Long battle

Posted Mar 23, 2025 7:30 UTC (Sun) by pm215 (subscriber, #98099) [Link]

(I should have written "what you appear to mean" rather than "what you mean"; sorry about that.)

Long battle

Posted Mar 23, 2025 9:02 UTC (Sun) by NYKevin (subscriber, #129325) [Link] (1 responses)

Bazel is FOSS. Anyone can use it right now. There are also numerous FOSS CI solutions, numerous FOSS code signing solutions, etc., all of which are individually capable of every piece of functionality I describe in my original comment, or could be trivially extended to support such functionality. You don't actually *need* to write your own build system, because other people have already done that work for you.

Some technical knowledge is required to snap all of the individual Lego bricks together, so I'm not suggesting that random non-tech companies are going to do this (they will buy a turnkey solution from somebody like IBM or Oracle, which will do something like this, but with more audit logs and misc. "compliance" features), but it is not nearly as hard as you seem to think. If you have a few competent engineers, it's mostly a question of political will and budgeting. That does not make it easy. It makes it feasible, under the right conditions, with managerial support. Ultimately, this is a business decision. If a company('s management) does not want reproducible builds, or is not willing to say "no" to a large number of employees in order to get reproducible builds, then it will not have reproducible builds.

***

Aside from that, while I appreciate that you are trying to deescalate the discussion, I really do not think the phrase "overengineered nonsense" is helpful, nor do I see any qualification in the original comment suggesting that it was restricted to smaller companies. I really wish we could be kinder to one another in discussions like this one.

Long battle

Posted Mar 23, 2025 12:45 UTC (Sun) by pm215 (subscriber, #98099) [Link]

I think my take is that most proprietary shops indeed do not have that political will and budget, and are unlikely to acquire it short of external forcing factors like regulation.