[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Attestation, reproducible builds, and bootstrapping
From:       Ludovic_Courtès <ludo () gnu ! org>
Date:       2023-05-24 20:57:39
Message-ID: 87zg5tfnwc.fsf_-_ () gnu ! org
[Download RAW message or body]

Hi,

Brian Behlendorf <brian@behlendorf.com> skribis:

> A clear and more formal way of understanding the different levels of
> attestation of one's build environment can be found in the SLSA
> specification. Here's a story about how Google Cloud incorporates it
> into build service:
>
> https://slsa.dev/blog/2022/12/gcb-slsa-verification
>
> Of course attestation is not proof, and even human certification can
> only go so far. Reproducible builds offer a path there but that goal
> seems just as far away as it was 20 years ago, when Java was going to
> solve that for us.

This is not true: reproducible builds are a reality for a number of
distros already and also upstream (for GNU Guix, we measure 85%
reproducibility on 22K packages; Debian might be even higher).

Bootstrapping has also gone a long way: Guix's package graph is now
rooted in a 357-byte "binary" ¹; everything else (with the exception of a
couple of bootstrap compilers such as GHC, for now) is built from
source, in isolated environments.  A similar bootstrap path is used by
freedesktop-sdk ².

So I disagree that one has to resort to attestation and certification;
verifiability and auditability are evidently achievable and they provide
much stronger guarantees.

Ludo'.

 ¹ https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/
 ² https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/11557
[prev in list] [next in list] [prev in thread] [next in thread]