Breaking the Chains of Trusting Trust: Reproducible Builds and More!
E148 | Sun 16 Jul 2 p.m.–3 p.m.
Presented by
-
Vagrant Cascadian
https://www.aikidev.net
Vagrant strives to make Reproducible Builds a best practices reality for everyone. Vagrant discovered free software late last millenia and has been contributing to free software since the beginning of this millenia. A long-time Debian Developer and contributor to Guix, tinkering with ARM and RISC-V systems. At Portland's Free Geek, Vagrant dove into life as a free software developer, rebuilding electronic waste with FOSS, modifying or developing new software as needed. That led to exciting work helping coordinate LTSP development shared between several different operating systems. That sense of open collaboration has been a life-long habit. Vagrant contrasts spending too much time on computers with bicycle commuting, aikido and a DIY solar hobby.
Vagrant Cascadian
https://www.aikidev.net
Abstract
Corrupted build environments can deliver compromised cryptographically
signed binaries. Several exploits in in critical supply chains have
been demonstrated in recent years, proving that this is not just
theoretical. The most well secured build environments are still single
points of failure when they fail.
In 1984, Ken Thompson presented "Reflections on trusting trust" which
described an attack on a build toolchain that would be impossible to
detect through source code review ... in the decades since, what has
been done to actually mitigate these types of attacks?
Work in the Reproducible Builds and Bootstrappable Builds communities
has been progressing steadily in recent years, and can be used to
significantly reduce the risks of "Trusting Trust" and other supply
chain attacks, by making it possible to independently review not only
the end result, but the entire toolchain used to build a given
artifact.
This talk will focus on the state of the art from several angles in
related Free and Open Source Software projects, what works, current
challenges and future plans for building trustworthy toolchains you do
not need to trust.
https://reproducible-builds.org
https://bootstrappable.org
Corrupted build environments can deliver compromised cryptographically signed binaries. Several exploits in in critical supply chains have been demonstrated in recent years, proving that this is not just theoretical. The most well secured build environments are still single points of failure when they fail. In 1984, Ken Thompson presented "Reflections on trusting trust" which described an attack on a build toolchain that would be impossible to detect through source code review ... in the decades since, what has been done to actually mitigate these types of attacks? Work in the Reproducible Builds and Bootstrappable Builds communities has been progressing steadily in recent years, and can be used to significantly reduce the risks of "Trusting Trust" and other supply chain attacks, by making it possible to independently review not only the end result, but the entire toolchain used to build a given artifact. This talk will focus on the state of the art from several angles in related Free and Open Source Software projects, what works, current challenges and future plans for building trustworthy toolchains you do not need to trust. https://reproducible-builds.org https://bootstrappable.org