[Reproducible-builds] Bug#763822: Moving towards buildinfo on the archive network

Jonathan McDowell noodles at earth.li
Sun Aug 21 18:03:19 UTC 2016 

On Sun, Aug 21, 2016 at 04:01:00PM +0000, Ximin Luo wrote:
> Jonathan McDowell:
> > On Sat, Aug 20, 2016 at 03:13:00PM +0000, Ximin Luo wrote:
> >> Note that the builder is a *distinct entity* from the distribution.
> >> It's important to keep the *original* signature by B on C. It breaks
> >> our security logic, to strip the signature and re-sign C using (e.g.)
> >> the Debian archive release keys - because the entity in charge of this
> >> release key is not the one that actually performed the build. Doing
> >> this, would allow malicious builders to re-attribute their misdeeds to
> >> look like it's the fault of Debian.
> > 
> > Debian already does this in the context of the fact that Package files
> > etc are signed by the archive key. It's possible to go and grab the .dsc
> > file to see who did the file build, but day-to-day no one is using these
> > to verify the binaries they receive. I care more that Debian stands
> > behind the packages I download than being able to verify individually
> > who build each of the packages I'm running - there's no meaningful way I
> > can attribute trust to *all* of the people who packaged something I have
> > installed.
> > 
>
> You have this backwards.
> 
> "Being able to verify individually who build each of the packages I'm
> running"
> 
> is *exactly* what is required to *not* have to 
> 
> "attribute trust of *all* of the people who packaged something I have
> installed."
> 
> and that is one major (probably the main) goal of R-B.
> 
> Now that I point this out - do you agree,

No. What lets me not care about who actually built the packages and have
to attribute trust to them is that I have the build information, which
allows me to verify I get exactly the same output from the provided
source. The signatures over these do not allow me to trust the binaries
I receive in any additional fashion. If I trust the statement "I built
package <x> using source <y> and build information <z>" from an
individual, without doing any verification that this is true, it doesn't
give me much over "I built package <x> using source <y>". I have to do
the build myself to ensure what I have been told is true.

Where, to me, signatures become more interesting is when it is possible
for multiple different people to attest they build a set of source using
the same information and got exactly the same output - but only if I
actually trust all the entities who are doing that signing.

> and does it change your mind on anything you previously said?

Fundamentally I still think build information without the signature of
the builder is information that it would be useful to have accompanying
the Debian archive. It seems you do not believe this is worth anything
as it loses the signature which provides a chain back to the origin. I
do not, at present, have a good solution for the extra information and
conditions you want within the context of the Debian archive.

J.

-- 
] http://www.earth.li/~noodles/ [] 101 things you can't have too much  [
]  PGP/GPG Key @ the.earth.li   []        of : 49 - Bandwidth.         [
] via keyserver, web or email.  []                                     [
] RSA: 4096/0x94FA372B2DA8B985  []                                     [

More information about the Reproducible-builds mailing list