On Mon, Aug 18, 2025 at 10:12 PM Reginald Beardsley via openindiana-discuss <[email protected]> wrote:
> So if I build Gnu Linear Programming Package (aka GLPK) how do you > prevent me from adding a Trojan, building GLPK, restoring the original > source and building an IPS pkg? Is there a checksum generated by the > compiler from the source file that is recorded in the binary? > > If not, I should like an explanation of how it meets the "On Trusting > Trust" issue. This has long been a major concern, but I have been blindly > trusting the OI repository. > > I can't resolve the backdoored distro problem, but I'm not concerned about > that. I am concerned about the vetting process for IPS pkgs for 3rd party > stuff produced by 3rd parties, e.g. Reg"s version of libxyz. > Generally you wouldn't have a distribution taking someone else's binaries and packaging them. Normally the distributions build from source. And the build system normally checks the source input is what you expect - and that on subsequent build attempts it's exactly the same source. Then there's reproducibility. Even if you can compromise one particular package instance, can you compromise somebody else building the same package independently? Because you can have 2 people building the same package and comparing their results. Now, none of the illumos distributions have reproducible builds in quite the same way that other open source projects think about it - https://reproducible-builds.org/ - largely because the emphasis there is on things like output tarballs. In general, illumos binaries will differ because of metadata differences, but systems like IPS know how to skip that and can generate a checksum of just the elf content of an object. So in general 2 people should generate the same IPS package, which in theory allows backdoored packages to be detected. (The theory part is if anybody bother to look.) > Reg > > > On Monday, August 18, 2025 at 03:36:05 PM CDT, Till Wegmüller < > [email protected]> wrote: > > Hi Reg > > We do handle Maintenance and and security updates for people. > Technically you can have multiple repos linked to your system but in > practice it's only ever the main openindiana.org one. And packages from > there are always source built on the OpenIndiana build server and only > from there. In the Future we would also like to provide ephemeral build > zones that are spawned from a template and then destroyed. So it gets > really hard to backdoor those machines like in the XZ case. Other ideas > to make that spawning process happen are heartly welcome. But in short, > we do not accept binary packages only source and recipes and then build > them from a decently secure system for people. > > Hope this helps > -Till > > On 18.08.25 21:44, Reginald Beardsley via openindiana-discuss wrote: > > I'm happy to build packages for things I use that don't already have > pkgs. However, it raises the issue of "On Trusting Trust". I've generally > not been enthusiastic about binary packages because it's so easy to Trojan > or backdoor one. > > How does OI deal with that? This is why I have, until very recently, > built from source. Linux made doing that fairly absurd with all the > dependencies and as I was just using Linux on a test system for email I > started slacking. Time to stop. > > As an incentive, how about a lottery? People who build things for their > own use and supply an IPS pkg get a ticket in an annual lottery for each > pkg they contribute and the prize is of the order of 1000 Euros. > > Have Fun!Reg > > _______________________________________________ > > openindiana-discuss mailing list > > [email protected] > > https://openindiana.org/mailman/listinfo/openindiana-discuss > > _______________________________________________ > openindiana-discuss mailing list > [email protected] > https://openindiana.org/mailman/listinfo/openindiana-discuss > > _______________________________________________ > openindiana-discuss mailing list > [email protected] > https://openindiana.org/mailman/listinfo/openindiana-discuss > -- -Peter Tribble http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/ _______________________________________________ openindiana-discuss mailing list [email protected] https://openindiana.org/mailman/listinfo/openindiana-discuss
