[liberationtech] Deterministic builds and software trust
Jonathan Wilkes
jancsika at yahoo.com
Thu Jun 20 10:35:45 PDT 2013
________________________________
From: Mike Perry <mikeperry at torproject.org>
To: liberationtech <liberationtech at lists.stanford.edu>
Sent: Thursday, June 20, 2013 4:34 AM
Subject: Re: [liberationtech] Deterministic builds and software trust
[...]
Thanks for the responses. I'm not a security specialist so it will
take me a will to ingest how all this works...
>> 2) Do you use Tor's git version id (the hash) for the
>> release as the random seed string? Seems like that would be a
>> good precedent to set in case other projects start using this
>> method, too.
>Not sure exactly what you're asking here.
>For GCC's -frandom-seed, we just use "tor" as the string. I'm not aware
of any reason why that seed needs to ever change (my understanding is
that it is only used for symbol mangling to avoid static/namespace
collisions).
What happens if you try to run two different versions on the same machine,
both of which were seeded with "tor"?
Or in "Exploit City" of the future, if a distro decides to go the deterministic
build route for _everything_ what happens when two versions of a library
are needed?
So I was just thinking that using the git hash as the seed would be future-proof:
it would guarantee no clashes for everything other than compiling the _exact_
same code in different dirs and trying to run both at the same time.
-Jonathan
>We also include the full set of git hashes, version tags, and input
source hashes in the bundles themselves, so you know exactly what went
into your bundle if you want to try to match it at a later date...
--
Mike Perry
--
Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130620/cf992143/attachment.html>
More information about the liberationtech
mailing list