[alainv]

That's approaching a chicken-and-egg problem. Other parties are working on verifiable open hardware, but their work is only worth so much if any useful software can be tampered with at multiple other points in the chain.

Reproducible builds are an absolutely achievable way of adding trust to that particular step and reducing the overall attack surface.

We don't need to live in a world of two extremes, 'curl http:// | sudo bash' or hand-built silicon.

[aseipp]

The idiotic, reductionist viewpoint that "I have intel ME on my machine so anything and everything that you could ever do is worthless and pointless and moot, trust me on that" is so utterly backwards, such an insane state of denial -- I can't even comprehend it. Until I realize it almost exclusively, in my experience, comes from people who eat tinfoil and have never worked in security.

Honestly, I consider it lucky that the people who typically promote this nonsensical bullshit are probably not actually security engineers or researchers, or allowed to do security related work in any way -- because they would be terrible at it with a position like that. Actual security engineers understand that there are things called "threat models" and "tradeoffs" and you can, in fact, measurably improve security in meaningful ways for many systems.

You might as well just starve yourself to death because -- hey -- eating is pointless when you could get hit by a bus at any moment.

Why prevent your application from having SQL injections? Why not just dump all your customer records and private keys on pastebin? After all, the NSA can just steal those secrets from your computer with some Unicorn Magic, so clearly securing anything is actually pointless.

[andrewflnr]

This is a bit unfair. The threat that source auditing is supposed to mitigate is backdooring by well-funded attackers, and it (AFAICT) isn't very effective against those when they can just go down a level. Are there plausible attackers that really stopped by compiling from source, that can ship a malicious blob but can't ship malicious hardware?

[confounded]

Think about scale.

[zzzcpan]

Do you believe reproducible builds cover an important threat to make them worth the effort just for that? As far as I understand - not even a little. But the effort is much more important for the future of package management.