Opened 5 years ago

Closed 3 years ago

#6008 closed project (duplicate)

Improve software assurance

Reported by: phobos Owned by: phobos
Priority: Medium Milestone:
Component: Company Version:
Severity: Keywords: SponsorZ-large
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Improving software assurance through repeatable builds across all operating systems and verifiable build system security. Without getting into endless black holes (see http://cm.bell-labs.com/who/ken/trust.html), we should be able to document how our software was built and others should be able to repeat the exact same steps and build the exact same binaries. The binaries should be verifiable through some hash algorithm or forensic analysis of the resulting binaries.

This goes towards improving our build integrity and build security once others can independently verify the binaries.

Child Tickets

Change History (3)

comment:1 Changed 5 years ago by karsten

  • Keywords SponsorZ added
  • Milestone Sponsor Z: November 1, 2013 deleted

Switching from using milestones to keywords for sponsor deliverables. See #6365 for details.

comment:2 Changed 5 years ago by mikeperry

  • Keywords SponsorZ-large added; SponsorZ removed

See also #6011. May be a dup?

For the record, with enough effort, we can verify all the way down to silicon:
https://www.schneier.com/blog/archives/2006/01/countering_trus.html
http://www.dwheeler.com/trusting-trust/

Though it might be a tiny bit trickier than just "use two compilers":
https://pjakma.wordpress.com/2010/09/20/critique-of-diverse-double-compiling/

comment:3 Changed 3 years ago by phobos

  • Resolution set to duplicate
  • Status changed from new to closed

See the gitian stuff mikeperry has done.

Note: See TracTickets for help on using tickets.