[tor-talk] Qubes? debian? binary? reproducible? (was: EGOTISTICAL something)

carlo von lynX lynX at time.to.get.psyced.org
Sun Dec 7 12:03:51 UTC 2014

On Sun, Dec 07, 2014 at 03:38:56AM -0800, coderman wrote:
> would compromising Debian upstream be easier?  probably, but it would
> also be more visible.

If it took ages to find heartbleed in the source, how likely is it
that a backdoored binary is found?

> > I know that currently 13600 packages of debian can be built
> > reproducible [1], but does that mean that at least those are
> > being distributed with reproducible binaries? I assume not.
> this is two concerns:
> 1) if built packages can be verified independently. (reproducible builds)
> 2) if packages are distributed to users securely. (signatures on pkgs, etc.)

Not really, (2) has to happen in any case - but if you distribute binaries
that comply to (1) then you get both advantages.

> you need to cover both, of course. but they only address part of the
> problem.  a vulnerable application that is reproducibly built, and
> properly signed, and verified before installation, is still
> vulnerable.

Yes, but it is a tougher challenge to introduce something like
heartbleed and not be noticed rather than influencing that some
binary is replaced by another, then have it signed and distributed,
and have something definitely less likely to be discovered later.

So why talk of the harder class of vulnerabilities if we haven't fixed 
the easier to fix class of vulnerabilities yet? Insecure binaries.
I am talking of getting rid of the easier to introduce vulnerabilities.

> > My current state of information is such that any source-code
> > based distribution is less likely to be affected by backdoors
> > until debian and all derivates indeed ship reproducible binaries.
> > If Whonix can be rebuilt from source, so can Qubes OS?
> how do you securely distribute sources to be built?  a source based
> distribution has different trade-offs, rather than being immune to
> tampering.

Gentoo provides cryptographic hashes for all tars and zips it uses
for over ten years now. It's really no black magic. Gentoo has other
issues and I don't understand why there is so little interest in
OS built from source. If techies were admitting what a crazy risk
it is to trust binary distributions, maybe source-code based ones
would be much more advanced usability-wise by now.

But I acknowledge the work being done for reproducible debian and
I wished I would also have time to participate in that.

> you can of course build any of these from source. (all of them open source).

But you need to bootstrap from binaries that somebody else made
and that cannot immediately be rebuilt reproducibly. I hope
this will soon change, but as long as this isn't the case, I don't
understand why debian derivates are treated as being secure.

> > Why bother with Whonix or TAILS specifically? Making use of
> > backdoors is in any case risky since folks like us may have
> > the competence to notice those activities going on... and
> > possibly document how they work.
> some vulnerabilities are specific to a single build or architecture,
> some are specific to configuration, some are specific to opportune
> timing or position, and so on.
> which route is chosen, backdoor or exploit, varies by situation, and
> of course, the visibility of either varies quite a bit too.

Yes, and?

> > But what do I know. The more I dig into this, the more I gather
> > how much I am left in the dark.
> if there's one thing we've learned the last few years, it is that all
> avenues are pursued. backdoors and exploits both, and at all levels,
> from operating system to end user applications.

Yes, that's why I question all non-reproducible binary distributions.


More information about the tor-talk mailing list