[infogulch]

This makes me think of a common refrain when dealing with parasite infestations: If you see one, there's way more than just one.

Deterministic builds cannot come soon enough. And really, builds are not enough, we need to be able to extend confidence in the execution of the programs we write much deeper than just builds.

[Shank]

> Deterministic builds cannot come soon enough.

This doesn't do anything for people who buy SolarWinds Orion, which is a closed-source off-the-shelf tool that gets picked up everywhere because of a combination of good sales tactics, compliance checkboxes, and ability to remove work from all involved.

Going back up the chain, a technical solution probably won't solve the issues inside SolarWinds either. Systemic organizational issues lead to RCE backdoors and implants distributed on official update servers, signed with authentic keys.

[toast0]

Deterministic builds can be done with closed source too. It doesn't directly help the users, but if they had setup a second build machine and noticed the build output was different, they could have addressed this sooner.

Of course, if following best practices, all build machines should be equally compromised. ;p

[pnutjam]

Mdt hashes and signing could have avoided this. Open source stuff always verifies, vote closed source doesn't have that habit.

[Osiris]

An article I read said that they did provide hashes but they also provided instructions on how to install it anyway if the hashes didn't match.

[Osiris]

https://mobile.twitter.com/KyleHanslovan/status/133841999966...

[BuildTheRobots]

How is this possibly acceptable? We've given people verifiable proof that this binary is not the one we created, yet users should crack on and install it anyway?

[pbronez]

I wonder if you could gain security while preserving agility by having build servers with exceptional (and annoying) security maintained offline. Do your CI/CD work, then chop off a weekly release and build it from source on a machine that’s been powered off in a secure room the whole time.

Still doesn’t help you if the attack is sufficiently upstream..

[Khaine]

Being liable for the consequences of poor software development and security practices would

[WarOnPrivacy]

If top management, maybe.

[pnutjam]

I haven't paid much attention to the solar winds catalog, but last I looked I did everything they offered on Linux with open source free tools.