|
|
Subscribe / Log in / New account

Long battle

Long battle

Posted Mar 23, 2025 6:57 UTC (Sun) by pm215 (subscriber, #98099)
In reply to: Long battle by NYKevin
Parent article: Julien Malka proposes method for detecting XZ-like backdoors

I think that the miscommunication is that you say "the proprietary world" when what you mean is "the absolutely gigantic tech firms, of which there are perhaps half a dozen". Much more of the proprietary world is smaller companies who do not have "invest in software tooling" as a corporate value the way Google does, but instead see infrastructure and tooling as a cost to be minimised.

IDK, I don't have much insight into internal processes at a wide range of companies: but I strongly suspect Google and the amount of investment Google can and will put into tooling is an outlier. Most companies do not write their own build systems!

to post comments

Long battle

Posted Mar 23, 2025 7:30 UTC (Sun) by pm215 (subscriber, #98099) [Link]

(I should have written "what you appear to mean" rather than "what you mean"; sorry about that.)

Long battle

Posted Mar 23, 2025 9:02 UTC (Sun) by NYKevin (subscriber, #129325) [Link] (1 responses)

Bazel is FOSS. Anyone can use it right now. There are also numerous FOSS CI solutions, numerous FOSS code signing solutions, etc., all of which are individually capable of every piece of functionality I describe in my original comment, or could be trivially extended to support such functionality. You don't actually *need* to write your own build system, because other people have already done that work for you.

Some technical knowledge is required to snap all of the individual Lego bricks together, so I'm not suggesting that random non-tech companies are going to do this (they will buy a turnkey solution from somebody like IBM or Oracle, which will do something like this, but with more audit logs and misc. "compliance" features), but it is not nearly as hard as you seem to think. If you have a few competent engineers, it's mostly a question of political will and budgeting. That does not make it easy. It makes it feasible, under the right conditions, with managerial support. Ultimately, this is a business decision. If a company('s management) does not want reproducible builds, or is not willing to say "no" to a large number of employees in order to get reproducible builds, then it will not have reproducible builds.

***

Aside from that, while I appreciate that you are trying to deescalate the discussion, I really do not think the phrase "overengineered nonsense" is helpful, nor do I see any qualification in the original comment suggesting that it was restricted to smaller companies. I really wish we could be kinder to one another in discussions like this one.

Long battle

Posted Mar 23, 2025 12:45 UTC (Sun) by pm215 (subscriber, #98099) [Link]

I think my take is that most proprietary shops indeed do not have that political will and budget, and are unlikely to acquire it short of external forcing factors like regulation.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds