Security Working Group - Wednesday October 27 - results

Patrick Williams patrick at stwcx.xyz
Thu Oct 28 07:31:37 AEDT 2021 

On Wed, Oct 27, 2021 at 02:11:15PM -0500, Joseph Reynolds wrote:
> On 10/26/21 8:12 AM, Joseph Reynolds wrote:
 
> 1 FYA: Changing the os-release BUILD_ID back to its default value of 
> DATETIME (recipe os-release.bb) - 
> https://lore.kernel.org/openbmc/CAH2-KxB6P2HTE5iqJMx1Gwrrq_w2-gXCZ47ZXaO_x5kZ2RAzCg@mail.gmail.com/T/#m0065dab191fe8048ea02ab3c28b31362252f7622 
> <https://lore.kernel.org/openbmc/CAH2-KxB6P2HTE5iqJMx1Gwrrq_w2-gXCZ47ZXaO_x5kZ2RAzCg@mail.gmail.com/T/#m0065dab191fe8048ea02ab3c28b31362252f7622>(background 
> reference: https://man7.org/linux/man-pages/man5/os-release.5.html 
> <https://man7.org/linux/man-pages/man5/os-release.5.html>).
> 
>  1.
> 
>     Will the builder need to supply BUILD_ID to maintain a stable (aka
>     deterministic, aka reproducible) build?
> 
>  2.
> 
>     https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/48204
>     <https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/48204>
> 
>  3.
> 
>     https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/48205
>     <https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/48205>
> 
> DISCUSSION:
> 
> This was resolved: the project defaults are not being changed.

Can we get some more details on this decision and a reply to the original ML
post?  It seemed like almost everyone was on-board with the initial proposal and
then a separate meeting with limited minutes was held which came to a different
conclusion.  This is out of sync.

I don't understand how "deterministic builds" is directly related to security
and I'd be immensely surprised if you could actually, today, build two images
from the exact same git commit and end up with a byte-wise identical build as
it is.

If someone seriously wants a reproducible build on their system they can easily
override this BUILD_ID value but it seems odd to me that:

    1. We would choose to purposefully deviate from what upstream Yocto does.
    2. We would punt on the usability issue that originally pushed us down
       pursuing any change here.

> Is this general topic (“https://github.com/openbmc/openbmc/issues/3383 
> <https://github.com/openbmc/openbmc/issues/3383>”) important enough to 
> escalate to the Technical oversight  forum (TOF)?

What is the escalation to be done?  Is there some stale-mate encountered or a
seeming disagreement on direction?  It seems to me like only 1 developer is
actively working on it and the progress has just been slow as a result.

-- 
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20211027/067b1b2b/attachment-0001.sig>

More information about the openbmc mailing list