Hacker News new | ask | show | jobs
by lrvick 500 days ago
From that first link "In the Fedora ecosystem, we cannot achieve reproducibility by the reproducible-builds.org definition"

Good to see they are slowly closing some blockers every year or so, but fundamentally today they do builds and signing centrally. There is no way to readily get the same hash of a central fedora supplied rpm locally.

Supply chain integrity is simply not a priority. They just trust the central build farm, or the compilers it uses, or everyone with access to it will never be compromised.
1 comments
dralley 500 days ago
This is a touch dramatic. The hash of the payload and the hash of the RPM header are still reproducible and can be verified. It's just that the existence of internal signatures makes it impossible to do a simple checksum of the file.
link
lrvick 500 days ago
And thus RPM was not designed with easy user reproduction and signing by multiple independent parties for high accountability in mind. Most other package managers do not have this problem. This is a flaw that should be corrected.

Also, it takes a ton of work and testing and bug fixes and patches to get software reproducible. Assume most packages are not reproducible until proven otherwise. Arch, debian, nix, guix, all do that work and publish the proof, for several years, with far less resources than redhat or fedora. Stagex even has 100% (shameless plug)

Easy user hash for hash reproducibility with published reproduction testing proofs is the standard baseline for years now, and even that is nowhere near good enough.

Multiple independently signed reproduction proofs with full source bootstrapping is IMO a bare minimum for any distro that expects other people to be able to trust it for more than hobby use cases.

Supply chain attacks are becoming very common, and no one should have to trust a single engineer somewhere with a god signing key for a major distro.

Also just to spot check a popular package in Fedora, rust, I just confirmed it still downloads a non-reproducible binary rust compiler to build its own rust package, so it is certainly not reproducible from source even putting aside the rpm signing format problems. Fedora blindly trusts whoever builds the binaries on the rust team. I can only assume RHEL does the same.

https://src.fedoraproject.org/rpms/rust/blob/8e04e725bbf4eb9...

link
dralley 500 days ago
It's a problem that can be easily fixed with tooling that's smart enough to just look inside the file. Detached signatures aren't necessarily better, just different.
link