[GLLUG] RedHat spooked ?

Karanbir Singh mail-lists at karan.org
Mon Jun 23 11:20:32 UTC 2014 

Hi,

On 06/23/2014 11:55 AM, Nix wrote:
>> I'd find it surprising if RedHat has not been the target of the NSA.
>> The questions to ask is whether or not the company has been compelled
>> to assist. The only safeguard is transparency - all binaries must have
>> full source available, and it must be demonstrably possible to cleanly
>> rebuild identical binaries.
> 
> Of course this needs special measures to be taken: some object files
> include timestamps, random padding, effective randomness from
> profile-guided optimization -- and many symbol names, unless
> specifically requested, are randomly generated (see -frandom-seed).
> 
> So one cannot simply say 'ooh, this binary is different from one I built
> myself, proof of nefarious intent!'. Binaries built at different times
> or on different systems will almost always be different unless
> explicit measures were taken to make them the same.

Part of solving that problem is knowing and having some level of
measures taken on the first build instance as well, in this case we dont
have that.

The biggest challenge here is also code-audits, few people - apart form
a few Govt Agencies - have actually ever undertaken a complete distro
wide code audit. Mostly along the lines of what you already said -
building stuff is easy, its a case of having some level of confidence in
what it is that you are building and where/how you are going to use it.

Adding 'tracker' builders, that shadow the CentOS buildsystem is largely
a trivial task at this point with the code all moving through git, and
an api around the entire git store to make stuff like this easier. It
would absolutely rock to have a bunch of such efforts to come up, and
feedback +1's ( welcome to social media for builders ), to endorse build
results. Consuming that endorsement might not be trivial, but a
worthwile effort ( because we all trust the source code going in, right? )

- KB


-- 
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc

More information about the GLLUG mailing list