Fedora and supply-chain attacks
Fedora and supply-chain attacks
Posted Jun 18, 2021 13:19 UTC (Fri) by Conan_Kudo (subscriber, #103240)In reply to: Fedora and supply-chain attacks by ballombe
Parent article: Fedora and supply-chain attacks
The Debian build system does not have the kind of capability to replay exact build environments. And there's no reasonable way you can consider the build system servers as non-trusted. Otherwise you'd have to consider the distribution itself as untrusted. That's silly, because you fundamentally have to run everything on the operating system anyway.
Posted Jun 18, 2021 15:16 UTC (Fri)
by ballombe (subscriber, #9523)
[Link]
Could you elaborate ? What is missing ?
Posted Jun 18, 2021 16:35 UTC (Fri)
by mw_skieske (guest, #144003)
[Link] (1 responses)
This is just not true at all.
Let me give you an example:
Build Systems can get hacked (they are high value targets). So maybe I trust the software which is assembled into an operating system but I don't trust the assembly process? reproducible builds allow me to double check this step, no?
It is also possible, maybe even more likely, that an intruder would _not_ infect the complete fedora infrastructure, because targeted and contained attacks are much more like to be noticed later than a huge range of owned systems for no good reason.
you are imho conflating software sourcecode, a build system, the people and process running the build system, the people maintaining the packages inside fedora and the complete assembled result (fedora images) into one process, which imho is a mistake.
These are all very distinct entitys which sometimes sure do overlap but really are not the same.
These entities have varying personal attack surfaces and security processes implemented.
there are unpaid maintainers, paid maintainers, professionally run infrastructure by paid teams in red hat and a student packaging his own software.
It would be pretty naive imho to all lump this together, when talking about attack surface and threat modelling.
kind regards
Sven
Posted Jun 24, 2021 18:40 UTC (Thu)
by zuki (subscriber, #41808)
[Link]
I generally would love to see an effort for build reproducibility in Fedora, but this comment is essentially wrong. In Fedora, a maintainer (any maintainer), can only instruct the official build system to build a package from "dist-git", i.e. the package version control system. While all packagers push to dist-git, only the official infra managed by (essentially) "paid teams in red hat" is what actually builds the packages. For reproducible builds, we would record the inputs to the package builds and the build results, so build reproducibility would cover the part where already only this very small group of infra team members has access.
Actually we already record the inputs (every build must correspond to exactly one commit in dist-git and commits from which builds were made are forever public, and the exact list of packages used during build is recorded), and the outputs are recorded too (any build artifacts which were ever officially distributed are available). For Fedora, build reproducibility would mean that we would make an effort to make the builds bit-for-bit repeatable and maybe provide the build metadata (which is already being recorded) in a more standarized format. A "student packaging their own software" would have a much input to this system as they have now.
Posted Jun 19, 2021 11:20 UTC (Sat)
by Foxboron (subscriber, #108330)
[Link]
That is not true. Debian saves buildinfo files which can be used to replay exact build environments. And it works! My master thesis was all about rebuilding Debian packages for bit-by-bit identical packages using `srebuild` and stuffing them into a transparency log.
https://salsa.debian.org/reproducible-builds/debian-rebui...
Fedora and supply-chain attacks
Fedora and supply-chain attacks
Fedora and supply-chain attacks
Fedora and supply-chain attacks
https://manpages.debian.org/testing/dpkg-dev/deb-buildinf...