If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!
Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.
For the past several years, we've been seeing a steady increase in the weaponization, stockpiling, and the use of software exploits by many parties. In particular, there are an increasing number of vectors to "bridge the air gap" and exploit even disconnected machines. Software build systems make a worrisome target for these types of exploits, as they provide a stepping stone to compromise very large numbers of machines.
To underscore this point, we will demonstrate a simple Linux rootkit that is capable of infecting the compilation process while otherwise leaving no traces on the machine.
We will discuss a powerful solution to this problem: Build Reproducibility. We will focus on the build system used by The Tor Project to build Tor Browser - our Firefox-based browser. We will also touch upon current work by Debian, as well as by F-Droid and the Guardian Project for Android.