[tetha]

Bit-Reproducible infrastructure could also result in some of the wildest build distribution architectures if you think about it. You could publish sources and have people register like in APT mirrors to provide builds, and at the end of the day, the build from the largest bit-equal group is published.

I do see the Tor-Issue - a botnet or a well-supplied malicious actor could just flood it. And if you flip it - if you'd need agreement about the build output, it could also be poisoned with enough nodes to prevent releases for a critical security issue. I agree, I don't solve all supply chain issues in one comment :)

But that in turn could be helped with reputation. Maybe a node needs to supply 6 months of perfect builds - for testing as well - to become eligible. Which would be defeated by patience, but what isn't? It'd just have to be more annoying to breach the distributed build infrastructure than to plant a malicious developer.

This combination of reproducible, deterministic builds, tests across a number of probably-trustworthy sources is quite interesting, as it allows very heavy decentralization. I could just run an old laptop or two here to support. And then come compromise hundreds of these all across the world.

[smt88]

The distribution system you're describing exists and has been in use for decades. You just distribute the build using bittorrent.

[cluckindan]

And if someone invests in having >90% of the peers offer a malicious file and serve DHTs matching that file?

[smt88]

Torrent files are hashed, so it's exactly the same risk profile as the comment I was referring to. But generally hashing algorithms are collision-proof enough that what you're describing is basically impossible (requiring many years of compute time).

[pabs3]

IIRC BitTorrent still uses SHA-1, which is becoming more problematic.

[vhcr]

BitTorrent v2 uses SHA-256, but in any case SHA-1 is still second-preimage resistant. And the BitTorrent piece hashes are included in the .torrent file, so you would need to find a double collision.

[HumanOstrich]

Sounds overly complex and completely unnecessary, like some kind of blockchain/defi scheme shoehorned onto distributed builds.

[pabs3]

Reproducible isn't quite enough, you also need bootstrap from almost-zero binaries.

https://bootstrappable.org/

[charcircuit]

>It'd just have to be more annoying to breach the distributed build infrastructure than to plant a malicious developer.

It really wouldn't. You don't even need a powerful build server since you can mirror whatever someone else built. You can also buy / hack nodes of existing trusted people.

[nunez]

> Try building some common pieces of software in a network isolated environment and you will likely be surprised at how poorly it goes.

I have yet to experience a straight shot install or build of anything in an air gapped environment. Always need to hack things to make it work.