Skip to content

Instantly share code, notes, and snippets.

View brl's full-sized avatar

Bruce Leidl brl

  • Subgraph
  • Montreal
View GitHub Profile
brl /
Created July 29, 2020 13:27
Comments on build reproducibility

Tavis Ormandy argues that build reproducibility fails to deliver any security benefit for the user because in order to verify that a binary can be reproducibly built you need to first build the binary yourself. At this point you have a binary you can trust, and if you assume you have the source code then any user can produce a trustworthy binary by simply compiling the source code and this works even if the build is not reproducible.

Ok, but what if we create a system where we nominate trusted entities to verify the build for us? Tavis points out that if you trust some third-party more than the vendor then you should download your software from them as well. Once again, reproducibility is irrelevant since the trusted third party can compile the source code and send you the binary.

Yes, of course you can just build the software yourself, but nobody wants to do that. The core of the argument presumes that the property the user