Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It allows you to verify that the source code was unaltered when the original build was produced. (By building it a second time with known good code.)


Does anyone diff public releases with builds done using a known good environment?

It would be a lot of work but could expose malicious providers.

Then again it might be hard to create an actual good environment considering all the software /firmware/hardware layers modern systems have.


Yes, this is known as a rebuilder.

There is still work to be done, but NYU was one of the organizations working on developing and running a rebuilder. The idea is that you pull buildinfo files from https://buildinfo.debian.net/, then try to verify them and if you got the same artifact you sign that you successfully verified this binary package.

A user could then configure "I trust rebuilder X, Y, Z and I require that at least N have successfully verified the package" before installing it.


See here for an example: https://gitian.org/. As I understand it's used to build a (the?) Bitcoin client.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: