Extending trust in our binaries: No backdoors have been found | SUSE Communities

Extending trust in our binaries: No backdoors have been found


I have written earlier on the advantages of reproducible builds

One of the advantages of reproducible builds is that it allows to verify, that no backdoors have been added into a binary at build time. For that, you just have to build the same source with the same toolchain on your trusted machine. If the results match the official build, things look good.
But (as far as I know) nobody had ever done that for openSUSE or SLE. So, incentivised by a question on reddit I enhanced my reproducibleopensuse scripts to allow them to verify.
Then came the obstacles.
Our openSUSE Tumbleweed is moving too fast and not doing full rebuilds, so their binaries are built with tools and libraries that are no more available and thus results cannot be the same.
The openSUSE Leap 15 and SLE 15 family are much nicer in this regard. They do full rebuilds. But their official builds do not yet normalize file modification-time values, so no exact matches could be reached. Using ‘build-compare‘, it was possible to find that only 403 / 11520 Leap 15.0 packages and 118 / 3140 SLE-15 packages had significant differences. Most of them were already known to not build reproducibly.
I reviewed the remaining packages and found several new bugs in the process. But no backdoors.
Variations from CPU-type and debuginfo were important classes of issues that did not get much attention before.

It has to be noted, that reviewing so many packages took considerable time (a few days). Once every package builds reproducibly by default, this will become fast and trivial.

It is also worth noting that the use of specialized comparison tools like ‘build-compare‘ is frowned upon by others working on reproducible builds. Only bit-identical builds are proper reproducible builds. One reason for that is certainly, that such tools can contain bugs that report different files as similar. Unfortunately, that is not just hypothetical. There were already two such bugs found.
There may be others not yet discovered. Thus in the end, we want bit-identical reproducible builds.
Only then, a comparison will be trivial and never have false positives.

(Visited 1 times, 1 visits today)

Leave a Reply

Your email address will not be published.

No comments yet

bmwiedemannSUSE Cloud developer and sysadmin involved in openSUSE reproducible builds