TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

75% Positive

Analyzed from 628 words in the discussion.

Trending Topics

#debian#reproducible#issues#builds#end#supply#chain#packages#user#guarantee

Discussion (22 Comments)Read Original on HackerNews

Zopieux•about 1 hour ago
A great milestone, congrats Debian on taking a stance and holding high standards for yourself, especially in the current era.
jaypatelani•about 2 hours ago
Good thing. NetBSD has fully reproductible build since 2017. https://blog.netbsd.org/tnf/entry/netbsd_fully_reproducible_...
idoubtit•about 1 hour ago
As pointed in your link, NetBSD achieved this with some help from Debian. If I understand correctly, it's not that NetBSD tried harder, it's that their problem was easier: fewer packages which change less (they still use CVS, "stability" is an understatement!).

BTW, most Debian packages have reproducible builds. Those which have not (I'd say 5%) are shown in orange in the graph there: https://wiki.debian.org/ReproducibleBuilds

pixel_popping•36 minutes ago
Forbidden

You don't have permission to access this resource. Apache Server at lists.debian.org Port 443

:/

inglor_cz•44 minutes ago
Has anyone fought Microsoft Visual Studio successfully to produce reproducible builds of C++ programs? From what I have heard, it is one of the worst contexts to do it.
shevy-java•about 2 hours ago
A small step for debian,

giant leap for mankind.

stingraycharles•about 2 hours ago
As someone who recently spent a lot of time on making a large C++ program entirely reproducible on 4 different OS’es, one cannot understate just how many tiny details matter here.
kkfx•about 1 hour ago
Debian, like any other legacy distro, mush became declarative, because the '80s model of manual deploy and the absurd pain of D/I and Preseed must end.
blueflow•about 3 hours ago
zero improvement on end-user experience. does not solve supply chain issues, debian package will reproducabily contain the malware from upstream.
quantummagic•about 2 hours ago
> zero improvement on end-user experience.

Maybe not by itself, but it does allow for the ecosystem to be audited, in a way that ultimately benefits the end-user. It really is an important part of a healthy supply chain.

miohtama•about 2 hours ago
I would call less North Korean hacks a massive benefit for end users
iveqy•about 3 hours ago
It does not solve all supply chain issues, it do solve some supply chain issues.

Not being able to see if the source code shipped is the same as been used for creating the binary is scary

murderfs•about 1 hour ago
Has there been a single publicly known attack that would have been prevented by this?
rlpb•about 3 hours ago
Debian has had a better "software supply chain" posture than any other player in the ecosystem since before the turn of the century. While we all face the risk of malware from upstream, Debian is the least at risk of being affected by it. See for example the stream of issues from npm et al. None of it has affected Debian.
alkindiffie•about 3 hours ago
> for example the stream of issues from npm et al.

Curious, what distros where affected by npm supply chain attacks?

hiAndrewQuinn•about 2 hours ago
This is some of the best news I've heard recently when it comes to figuring out how to produce high quality Software Bills of Materials for the upcoming EU Cyber Resilience Act, for what it's worth. Reproducible packages are actually worth a great deal when you are selling products with digital elements. Much easier to scan through, audit, etc. with confidence.
shevy-java•about 2 hours ago
Well - reproducible also means code guarantee. It may not improve an end-user experience directly, but you get an extra quality control step, as guarantee, here. I think reproducibility is great. If we can achieve that, it should be achieved. See also NixOS; it can guarantee that snapshot xyz works, not just for one user, but ALL users. I see it as hopping from guarantee to guarantee. That's actually a good thing in the long run. Just think differently here.
mschuster91•about 2 hours ago
That's not what reproducible builds aim to prevent, and no one claims that. When upstream pushes bad code, that's on upstream.

The thing reproducible builds aim to prevent is Debian or individual developers and system administrators with access rights to binary uploads and signing keys to get forced to sign and upload binary packages by attackers - be these governments (with or without court orders) or criminal organizations.

As of now, say if I were an administrator of Debian's CI infrastructure, technically there would be nothing preventing me from running an "extra" job on the CI infrastructure building a package for openssh with a knock-knock backdoor, properly signing it and uploading it to the repository. For someone to spot the attack and differentiate it, they'd have to notice that there is a package in the repository that has no corresponding build logs or has issues otherwise.

But with reproducible builds, anyone can set up infrastructure to rebuild Debian packages from source automatically and if there is a mismatch with what is on Debian's repository, raise alarm bells.

atoav•about 2 hours ago
If you find yourself holding opinions of the kind: "If it can't be made perfect, it shouldn't be changed at all?" you may want to consider that most things that work well today were incrementally improved.

Reproducable builds are not solving all issues as you rightly observed, but they can be a stepping stone (or even a pre-condition) for further measures.