[Shank]

> Deterministic builds cannot come soon enough.

This doesn't do anything for people who buy SolarWinds Orion, which is a closed-source off-the-shelf tool that gets picked up everywhere because of a combination of good sales tactics, compliance checkboxes, and ability to remove work from all involved.

Going back up the chain, a technical solution probably won't solve the issues inside SolarWinds either. Systemic organizational issues lead to RCE backdoors and implants distributed on official update servers, signed with authentic keys.

[toast0]

Deterministic builds can be done with closed source too. It doesn't directly help the users, but if they had setup a second build machine and noticed the build output was different, they could have addressed this sooner.

Of course, if following best practices, all build machines should be equally compromised. ;p

[pnutjam]

Mdt hashes and signing could have avoided this. Open source stuff always verifies, vote closed source doesn't have that habit.

[Osiris]

An article I read said that they did provide hashes but they also provided instructions on how to install it anyway if the hashes didn't match.

[Osiris]

https://mobile.twitter.com/KyleHanslovan/status/133841999966...

[BuildTheRobots]

How is this possibly acceptable? We've given people verifiable proof that this binary is not the one we created, yet users should crack on and install it anyway?

[pbronez]

I wonder if you could gain security while preserving agility by having build servers with exceptional (and annoying) security maintained offline. Do your CI/CD work, then chop off a weekly release and build it from source on a machine that’s been powered off in a secure room the whole time.

Still doesn’t help you if the attack is sufficiently upstream..

[Khaine]

Being liable for the consequences of poor software development and security practices would

[WarOnPrivacy]

If top management, maybe.

[pnutjam]

I haven't paid much attention to the solar winds catalog, but last I looked I did everything they offered on Linux with open source free tools.