Reproducing distributed binaries
Philip Cheney
packwidth at gmail.com
Thu Aug 18 02:46:36 UTC 2005
I know that this topic has been discussed quite exhaustively with
regard to other security applications, but here it goes again:
What is necessary to determine that the binaries that are
distributed are actually compiled from the source tarball (same
checksum)?
[This is assuming, of course, that one checks out the source and the
install scripts included with the binaries.]
I assume you'd need to use the same compiler, compiler version, and
compile options. Anything else?
I anticipate several responses suggesting that I just use the
binary that I compiled in order to test the distributed version! But
there are advantages to using the prepackaged version (ie ease of
installation and distribution across several systems). It would be
trivial to write a script to grab the tarball and the binary package,
uncompress and compile the source (according to compile specs
provided in the tarball?) then compare the two. The script would
also output the diffed source (and install scripts) (from the
previous version) to let you examine the changes in the source code.
If there were several people running a script like this with every
release, it would be considerably easier to detect the presence of a
trojaned binary package.
Any thoughts on the matter?
Cheers,
Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2367 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20050817/2c881fe8/attachment.bin>
More information about the tor-talk
mailing list