[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Attestation, reproducible builds, and bootstrapping
From: Ludovic_Courtès <ludo () gnu ! org>
Date: 2023-05-24 20:57:39
Message-ID: 87zg5tfnwc.fsf_-_ () gnu ! org
[Download RAW message or body]
Hi,
Brian Behlendorf <brian@behlendorf.com> skribis:
> A clear and more formal way of understanding the different levels of
> attestation of one's build environment can be found in the SLSA
> specification. Here's a story about how Google Cloud incorporates it
> into build service:
>
> https://slsa.dev/blog/2022/12/gcb-slsa-verification
>
> Of course attestation is not proof, and even human certification can
> only go so far. Reproducible builds offer a path there but that goal
> seems just as far away as it was 20 years ago, when Java was going to
> solve that for us.
This is not true: reproducible builds are a reality for a number of
distros already and also upstream (for GNU Guix, we measure 85%
reproducibility on 22K packages; Debian might be even higher).
Bootstrapping has also gone a long way: Guix's package graph is now
rooted in a 357-byte "binary" ¹; everything else (with the exception of a
couple of bootstrap compilers such as GHC, for now) is built from
source, in isolated environments. A similar bootstrap path is used by
freedesktop-sdk ².
So I disagree that one has to resort to attestation and certification;
verifiability and auditability are evidently achievable and they provide
much stronger guarantees.
Ludo'.
¹ https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/
² https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/11557
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic