[copper_rose]

The stated goal is to enable someone to verify "that they have gotten the same version as the rest of the world and not a special, possibly compromised version." This is actually two goals: (1) verify that your version is the same as everyone else's, and (2) verify that that version is genuine.

Why should one care about (1)? All that really matters is (2). As long as I'm using a genuine release, does it matter what the rest of the world is using? Unless I wish to establish trust in a binary based on how popular it is, or unless I care about interoperability between the version I have and the version others have, it doesn't really matter what version everyone else has.

I wonder if the author has heard about Nix or Guix? The purely functional software deployment model pioneered by Nix solves (2) trivially, for practically all applications in general, not just Firefox specifically. It also solves many other problems in the field of software deployment that this article doesn't even mention.

Long story short, don't reinvent the wheel. Use Nix or Guix. Learn more by reading the first chapter of Eelco Dolstra's thesis, which describes the problems and how the Nix model solves them:

https://nixos.org/~eelco/pubs/phd-thesis.pdf

Edit: Even if one is concerned about (1), the Nix model enables ways to verify that the origin is actually sending a binary that was built from the source it claims to use. For example, consider "guix challenge":

https://www.gnu.org/software/guix/manual/html_node/Invoking-...

[kibwen]

The reason to care about getting the same binary as the rest of the world is that it increases the likelihood that an attack will be detected.

In the case with neither binary transparency or reproducible builds, a nefarious actor can target a single user with a tainted binary and it's unlikely that the user will find out and difficult for them to rule out the possibility of tampering up-front.

In the case with binary transparency but no reproducible builds, a nefarious actor must target all users which makes it more likely that someone will notice, but still difficult for people to rule out tampering up-front.

In the case with reproducible builds but no binary transparency, it's easy for people who are paranoid to rule out tampering with the binary, but people who aren't paranoid are unlikely to discover that their specific binaries were tampered with, so a targeted attack will still probably go undetected.

In the case with both reproducible builds and binary transparency, it only takes one paranoid person discovering a tampered binary to alert the whole world that their own binaries have been tampered with. It's safety in numbers, even for those not technically-literate enough to determine (or even suspect) tampering.

[copper_rose]

Thank you for the clarification. I can see from your examples why binary transparency is a useful concept worth considering in its own right. I still suspect there is a huge amount of overlap between the problems the author is trying to solve and they ones that Nix/Guix has already solved (especially the way they want to use a hashing algorithm to identify the release). I'll bet a general solution for binary transparency could be built - a solution from which practically all software in general could benefit, not just Firefox in particular - by building on top of (or at least learning from) the base that the purely functional software deployment model, as pioneered by Nix, has already given us.

I am not simply saying "They should use Nix" as if that would magically accomplish their goals. I am saying that they could build on top of, or at least learn from, the novel techniques that Nix has contributed to the field of software deployment.

[aaronlevin]

One of the people involved in the reproducible builds project is a NixOS committee. Fairly certain they're aware of nix/guix

[copper_rose]

Does the reproducible builds project have a hand in the project to give Security/Binary Transparency to Firefox? I ask because i don't know, and I saw no language to suggest that in the page linked.

[schoen]

The traditional answer is that if your version is different from others', it might be because (1) the developer is trying to attack you, including (1a) the developer wants to attack you, (1b) someone forced the developer to make a custom version of the software in order to attack you, or (1c) someone compromised the internal processes of the developer in order to attack a small group of users (in a way that reduces the chance that the compromise will be discovered by the developer or by others).

This also includes, perhaps, (1d) there are some secret antifeatures in the software whose existence the developer hopes to conceal from the general user population.

For some of these cases, "you" might include not just one person, but also users in a particular country, language community, or income bracket.

Edit: I agree that there may be technical solutions other than binary transparency in particular that can also address some of these concerns.

[copper_rose]

I can understand why those scenarios would be concerning. Ultimately, what matters depends on the threat model. I believe that the Nix model can be used as a base for solving issues like the one presented here, and that it can be done in generality, for a wide spectrum of software.

[AgentME]

Reproducible builds (which it seems like Nix focuses on) are useful, but they don't address the problem of whether you got the same binary or source as everyone else at all.

[copper_rose]

Nix's functional software deployment model is a useful tool for building software reproducibly, but reproducible builds are neither the primary motivation for nor the primary goal of the Nix model. For information on what problems it aims to solve, how it solves them, and how it can be applied in various useful ways (e.g., a package manager is just one particular thing you can implement using the Nix model), I suggest you read the first chapter of the thesis I linked earlier. It's very interesting, and I think you'll find that the model can be applied to problems like this; it's not just about building software reproducibly, although software that builds reproducibly is conducive to the model.