>> Debian Project:

“Attacks silently targeting binaries”

In what sense?

JanKusanagi @identi.ca at 2015-04-26T12:36:03Z

Check out the wiki page.

Debian Project at 2015-04-26T12:38:26Z

OK, I imagine this is the gist of it:

(quoting here for others who might wonder)

Why do we want reproducible builds?

• Allow independent verifications that a binary matches what the source intended to produce.

• Should reproducible uploads become mandatory, then the incentive of an attacker to compromise the system of a developer with upload rights is lowered because it is not anymore possible for the developer to upload a binary that does not match the uploaded sources.
• Additionally, the incentive for this kind of attack is further lowered because an attacker now has to compromise all machines that can check the reproducibility of the uploaded source.
• Finally, with a sufficiently large body of independent (geographically and administratively) machines, reproducible builds can help find systems which are compromised in a way to produce binaries with altered functionality.

JanKusanagi @identi.ca at 2015-04-26T12:42:38Z

der.hans likes this.