Very cool

Posted Aug 1, 2024 16:47 UTC (Thu) by paulj (subscriber, #341)
Parent article: Pulling Linux up by its bootstraps

Very cool, and amazing progress towards the day when we have people doing reproducible builds from hardware all the way up (note: This requires the home fab projects to make progress too).

This doesn't lay Thomson's worries to rest though. The opposite in fact. It _makes his point_. And even then, this is something that most people are not going to be able to do (by skill, or practicalities such as time). Also, I note the reliance on very old software - which is itself a threat, given what we know about shelf-life of cryptographic hashes, e.g. see observations of Valerie Aurora. I wrote a bit more on this and double diverse compiling here: https://paul.jakma.org/2010/09/20/critique-of-diverse-dou...

Very cool

Posted Aug 1, 2024 19:26 UTC (Thu) by Phantom_Hoover (guest, #167627) [Link] (3 responses)

What would make Thompson’s point is a working demonstration of a backdoor that’s durable to even basic countermeasures, or one found in the wild. Yet more science fictions about what an impossibly perfect program could allegedly do aren’t going to cut it.

Very cool

Posted Aug 2, 2024 8:43 UTC (Fri) by chris_se (subscriber, #99706) [Link]

> What would make Thompson’s point is a working demonstration of a backdoor that’s durable to even basic countermeasures, or one found in the wild. Yet more science fictions about what an impossibly perfect program could allegedly do aren’t going to cut it.

I think Thompson's argument is correct in a philosophical sense, but not in a practical sense. I agree with you in that I don't believe that such a super-backdoor doesn't exist.

But other supply chain attacks are real (as we've seen with e.g. the XZ backdoor). And I applaud any work that tries to make it harder and harder for such an attack to occur undetected. Methods that can detect vastly more sophisticated (and possibly unrealistic) attacks will also help detect the more realistic ones.

I also think that most developers aren't thinking enough about supply chain attacks in the modern world. So I'm very excited about projects that push these types of ideas more into the current zeitgeist.

Very cool

Posted Aug 6, 2024 3:02 UTC (Tue) by NYKevin (subscriber, #129325) [Link] (1 responses)

As I explained upthread,[1] the original attack is, was, and has always been a fantasy, and so it is logical to conclude that Thompson was not speaking literally. I think it is plausible to read Thompson as anticipating the general(!) category of attack which includes the xz backdoor. I would summarize this interpretation of Thompson as "supply chain attacks don't have to be visible in source code to be effective."

[1]: https://lwn.net/Articles/984430/

Very cool

Posted Aug 6, 2024 8:54 UTC (Tue) by chris_se (subscriber, #99706) [Link]

> I would summarize this interpretation of Thompson as "supply chain attacks don't have to be visible in source code to be effective."

Regardless of whether Thompson himself meant it like that or not, I really like your summary. It's catchy enough that one could make a t-shirt out of it. :-)

Very cool

Posted Aug 7, 2024 20:45 UTC (Wed) by naesten (guest, #71199) [Link]

Very cool, and amazing progress towards the day when we have people doing reproducible builds from hardware all the way up (note: This requires the home fab projects to make progress too).

Even without homebrew hardware, it should still count for something if we get bit-for–bit identical results on a sufficiently wide array of hardware/firmware. Requirements I can think of:

Use a mix of CPU vendors. (Hopefully, AMD and Intel aren't colluding.)
Use motherboards with firmware of different lineage. To avoid any chance that they're all using edk2 to implement UEFI, include plenty of legacy BIOS boards.
Use different brands of disk drive and video adapter.
Include systems of quite different age, to rule out short-term conspiracies.

Another thing that makes me a bit nervous is the fixed sequence of old GCC versions; it would be more confidence-inspiring if several different paths through GCC history were verified to produce the same result. (It could be worse: some compilers only support building using a specific earlier version, possibly checked into the source repository.)