Extending trust in our binaries: No backdoors have been found | SUSE Communities
< Back to Blog

Extending trust in our binaries: No backdoors have been found

August 29, 2018 | By: bmwiedemann

Share
Share

I have written earlier on the advantages of reproducible builds

One of the advantages of reproducible builds is that it allows to verify, that no backdoors have been added into a binary at build time. For that, you just have to build the same source with the same toolchain on your trusted machine. If the results match the official build, things look good.
But (as far as I know) nobody had ever done that for openSUSE or SLE. So, incentivised by a question on reddit I enhanced my reproducibleopensuse scripts to allow them to verify.
Then came the obstacles.
Our openSUSE Tumbleweed is moving too fast and not doing full rebuilds, so their binaries are built with tools and libraries that are no more available and thus results cannot be the same.
The openSUSE Leap 15 and SLE 15 family are much nicer in this regard. They do full rebuilds. But their official builds do not yet normalize file modification-time values, so no exact matches could be reached. Using ‘build-compare‘, it was possible to find that only 403 / 11520 Leap 15.0 packages and 118 / 3140 SLE-15 packages had significant differences. Most of them were already known to not build reproducibly.
I reviewed the remaining packages and found several new bugs in the process. But no backdoors.
Variations from CPU-type and debuginfo were important classes of issues that did not get much attention before.

It has to be noted, that reviewing so many packages took considerable time (a few days). Once every package builds reproducibly by default, this will become fast and trivial.

It is also worth noting that the use of specialized comparison tools like ‘build-compare‘ is frowned upon by others working on reproducible builds. Only bit-identical builds are proper reproducible builds. One reason for that is certainly, that such tools can contain bugs that report different files as similar. Unfortunately, that is not just hypothetical. There were already two such bugs found.
There may be others not yet discovered. Thus in the end, we want bit-identical reproducible builds.
Only then, a comparison will be trivial and never have false positives.

Share
(Visited 1 times, 1 visits today)

Leave a Reply

Your email address will not be published.

No comments yet

4,263 views
bmwiedemannSUSE Cloud developer and sysadmin involved in openSUSE reproducible builds
Back

IT Modernization


SAP Solutions


AI and Analytics


Hybrid Cloud Solutions


Nonstop IT


Exit Federal Government

Back

Business-Critical Linux

Enterprise Container Management

Edge

All Products
Back

Solutions

Hybrid Cloud IT
Business-critical Linux

Run & secure cloud and on-prem workloads
Run SAP
Run SAP

Deliver mission-critical SAP solutions
Enterprise Container Management
Enterprise Container Management

Orchestrate cloud-native apps
IT Operations at the Edge
Edge

Deploy intelligent devices to the edge
Public Cloud
SUSE for Public Cloud

Accelerate innovation across your clouds
Security
Security

Secure your digital enterprise

Industries

Back

Support

Product Support
Premium Support Services

Dedicated support services from a premium team


Long Term Service Support

Stay on your existing product version


Expanded Support

Support for common Linux platforms


Renew Your Support Subscription

Services

Consulting Services
Training & Certification
Premium Technical Advisory Services

Resources

SUSE Support User Guide
Patches & Updates
Product Documentation
Knowledgebase
SUSE Customer Center
Product Support Life Cycle
Licensing
Package Hub

Community packages for SUSE Linux Enterprise Server


Driver Search
Support Forums
Developer Services
Beta Program
Security
Back

Partners

Partner Program


Find a Partner


Become a Partner


Login to the SUSE Partner Portal

Back

Communities

SUSE & Rancher Community

Blog


Forum


Academic


Open Source Projects


openSUSE.org



SUSE Česká republika


SUSE Israel


SUSE Magyarország


SUSE Polska

Back

About

About Us


Leadership


Careers


Newsroom


Success Stories


Investor Relations


Social Impact


SUSE Logo and Brand


Events & Webinars


Merchandise Store


Communications Preferences