Re: source-only builds and .buildinfo
On Thu, Jun 22, 2017 at 08:26:00AM +0000, Ximin Luo wrote:
> One way to give security that is independent of third parties, is to provide some sort of mathematically-verifiable proof. However the world isn't at that stage yet for compiler technology.
What changes in compiler technology are you hoping for?
The main reason for fixing optimizer bugs in the compiler is to get
different (no longer buggy) output.
> For users that can't directly verify everything that they themselves run, one "next best thing" they can do is to check that different parties that they trust - or many parties that they don't trust, that they nevertheless believe are probably not all colluding to attack them - claimed to have performed the build or verified each others' proofs.
> So, the more buildinfo files we have, from different parties (DDs, the Debian archive, etc) the better this is for users, because they have more sources of claims. How much they "trust" each individual source, is indeed not something that is concretely measurable and no existing security system tries to model this more precisely unfortunately; however I think we can all agree that "more is better" here.
I don't see how more random information is helpful for users.
One or more trusted instances verifying that all packages in a release
were built from their sources is the information that would be useful
For some users it would also be important to be able to verify this for
the whole archive themselves.
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed