Stories with Tag Debian

• Debian bookworm live images now reproducible

  permalink

  Posted: 2025-03-26 17:22:22

  Verbose tl;dr

  Debian's "bookworm" release now offers officially reproducible live images. This means that rebuilding the images from source code will result in bit-for-bit identical outputs, verifying the integrity and build process. This achievement, a first for official Debian live images, was accomplished by addressing various sources of non-determinism within the build system, including timestamps, random numbers, and build paths. This increased transparency and trustworthiness strengthens Debian's security posture.

  The Linux Weekly News article, "Debian bookworm live images now reproducible," details a significant milestone achieved by the Debian project: the ability to create bit-for-bit identical live images. This signifies that building a Debian Bookworm live image using the same source code and build process will consistently result in the exact same output, regardless of the time or location of the build. This achievement provides several crucial benefits, enhancing both security and reliability.

  Previously, variations in build environments, timestamps, and other seemingly inconsequential factors could lead to subtle, but important, differences between ostensibly identical builds. This made it difficult to verify the integrity of the images and complicated troubleshooting. With reproducible builds, developers and users can now cryptographically verify that a downloaded image is indeed the intended artifact, free from tampering or unintentional corruption. This assurance boosts security by mitigating risks associated with compromised build systems or malicious modifications during the build process.

  The article highlights the collaborative efforts involved in achieving this reproducibility, referencing work by the Debian Reproducible Builds project. This group has been instrumental in identifying and eliminating sources of non-determinism within the build process. These efforts involved meticulous examination of build scripts, toolchains, and dependencies, addressing issues such as randomized build paths, embedded timestamps, and variations in locale settings.

  The process of making the live images reproducible involved several key technical challenges, including managing differences arising from filesystem creation timestamps and handling variations in the compression of initramfs images. Specifically, the article mentions the utilization of tools like xorriso for ISO image creation and squashfs with consistent compression options to address these challenges.

  While the article focuses on the Bookworm release, it acknowledges that this achievement paves the way for reproducible live images in future Debian releases and potentially inspires other distributions to adopt similar practices. This advancement represents a significant step forward in ensuring the integrity and trustworthiness of Debian live images, strengthening the overall security and reliability of the Debian ecosystem. The article concludes by emphasizing the ongoing commitment of the Debian project to reproducible builds and the broader implications of this accomplishment for the open-source community.

  • Debian
  • Bookworm
  • Live Images
  • Reproducibility
  • Linux
  • Operating System
  • Open Source
  • Security
  • Software Development
  • Bit-for-bit Reproducibility
  • Build Systems

  Summary of Comments ( 68 )
  https://news.ycombinator.com/item?id=43484520

  Verbose tl;dr

  Hacker News commenters generally expressed approval of Debian's move toward reproducible builds, viewing it as a significant step for security and trust. Some highlighted the practical benefits, like easier verification of image integrity and detection of malicious tampering. Others discussed the technical challenges involved in achieving reproducibility, particularly with factors like timestamps and build environments. A few commenters also touched upon the broader implications for software supply chain security and the potential influence on other distributions. One compelling comment pointed out the difference between "bit-for-bit" reproducibility and the more nuanced "content-addressed" approach Debian is using, clarifying that some variation in non-functional aspects is still acceptable. Another insightful comment mentioned the value of this for embedded systems, where knowing exactly what's running is crucial.

  The Hacker News post "Debian bookworm live images now reproducible" sparked a discussion with several insightful comments.

  One commenter highlighted the significance of this achievement for security and trust. They explained that reproducible builds allow anyone to verify that a binary corresponds exactly to the claimed source code. This eliminates the risk of malicious code injection during the build process, whether intentional or accidental. This commenter emphasized the importance of this for situations where pre-built binaries are necessary, such as live images, and how this contributes to the overall security posture of Debian.

  Another commenter pointed out the impressive effort involved in achieving reproducible builds, considering the complexity of a modern operating system and the potential for variations in build environments. They also expressed hope that other distributions would follow Debian's lead.

  One user questioned the practical impact of reproducible builds for average users, prompting a reply explaining the benefits in terms of enhanced security and auditability. The reply clarified that while average users might not directly verify the builds themselves, the availability of reproducible builds allows trusted third parties to perform these verifications, ultimately benefiting all users.

  A further comment delved into the technical aspects of reproducibility, mentioning the challenges posed by differences in timestamps and build paths. The commenter acknowledged the efforts made by the Debian project to overcome these challenges, resulting in truly byte-for-byte identical images.

  A user familiar with Debian's build process explained the use of sbuild, a tool designed for creating chroot environments that ensure build consistency. They elaborated on how sbuild helps minimize variations in build dependencies and environment variables, contributing significantly to the reproducibility effort.

  Finally, a commenter brought up the issue of hardware variations and their potential impact on reproducibility, especially for non-deterministic operations involving floating-point calculations. However, this concern was addressed by another user who clarified that the focus of reproducible builds is on the software itself, ensuring that the same source code always produces the same binary, regardless of the underlying hardware. They conceded that hardware-specific optimizations could still lead to performance differences, but the integrity and verifiability of the software would remain intact. This reinforces the value of reproducible builds in maintaining a secure and trustworthy software supply chain.

• Entropy Attacks

  permalink

  Posted: 2025-03-25 12:20:38

  Verbose tl;dr

  The blog post "Entropy Attacks" argues against blindly trusting entropy sources, particularly in cryptographic contexts. It emphasizes that measuring entropy based solely on observed outputs, like those from /dev/random, is insufficient for security. An attacker might manipulate or partially control the supposedly random source, leading to predictable outputs despite seemingly high entropy. The post uses the example of an attacker influencing the timing of network packets to illustrate how seemingly unpredictable data can still be exploited. It concludes by advocating for robust key-derivation functions and avoiding reliance on potentially compromised entropy sources, suggesting deterministic random bit generators (DRBGs) seeded with a high-quality initial seed as a preferable alternative.

  Daniel J. Bernstein, in his blog post "Entropy Attacks," meticulously dissects the concept of entropy estimation within the realm of cryptography, specifically focusing on its application in generating supposedly random numbers for cryptographic keys. He argues that conventional entropy estimation techniques are fundamentally flawed and can lead to significant security vulnerabilities, leaving systems susceptible to attack. Instead of relying on abstract statistical measures of entropy, Bernstein advocates for a more concrete and pragmatic approach: demonstrably obtaining unpredictable bits.

  Bernstein begins by elucidating the conventional wisdom regarding entropy estimation. This approach typically involves analyzing the potential sources of randomness within a system, such as mouse movements, keyboard timings, or network activity. Each source is assigned an estimated entropy value, reflecting the perceived unpredictability of its output. These individual entropy estimations are then combined to determine the overall entropy of the generated random numbers.

  However, Bernstein argues that these estimations are inherently imprecise and often overly optimistic. He points out that attackers may possess more knowledge about the system than assumed, enabling them to predict the supposedly random bits with higher accuracy than the entropy estimations would suggest. He illustrates this with several examples where seemingly random sources can be influenced or predicted by an astute attacker. For instance, an attacker might analyze network traffic patterns or exploit vulnerabilities in peripheral drivers to gather information about the "random" data being collected.

  Furthermore, Bernstein criticizes the common practice of combining entropy estimates from different sources. He contends that simply adding the individual entropy values doesn't accurately represent the overall entropy, as the sources may be correlated or influenced by common factors. This can lead to a significant overestimation of the true randomness of the generated numbers.

  Instead of relying on these potentially flawed entropy estimations, Bernstein proposes an alternative approach focused on acquiring demonstrably unpredictable bits. He suggests using sources of randomness that are inherently difficult to predict, even by a well-informed attacker. One such example is utilizing high-quality random number generators based on physical phenomena, like radioactive decay or thermal noise, which are inherently unpredictable. Another approach is to leverage publicly verifiable randomness beacons, which provide publicly accessible random bits generated through robust and transparent processes.

  He further emphasizes the importance of rigorous testing and verification of the randomness generation process. Instead of relying on theoretical entropy estimations, Bernstein advocates for empirical testing using statistical randomness tests to ensure the generated numbers exhibit the expected properties of true randomness.

  In conclusion, Bernstein's "Entropy Attacks" serves as a cautionary tale against overreliance on conventional entropy estimations in cryptography. He argues that these estimations are often inaccurate and can lead to a false sense of security. He advocates for a shift towards demonstrably acquiring unpredictable bits and rigorously testing the randomness of generated numbers, ensuring the security of cryptographic systems against potential attacks.

  • entropy
  • Cryptography
  • Security
  • random number generation
  • rng
  • CSPRNG
  • prng
  • Debian
  • Linux
  • Operating Systems
  • software vulnerabilities
  • attacks
  • information theory

  Summary of Comments ( 13 )
  https://news.ycombinator.com/item?id=43470339

  Verbose tl;dr

  The Hacker News comments discuss the practicality and effectiveness of entropy-reduction attacks, particularly in the context of Bernstein's blog post. Some users debate the real-world impact, pointing out that while theoretically interesting, such attacks often rely on unrealistic assumptions like attackers having precise timing information or access to specific hardware. Others highlight the importance of considering these attacks when designing security systems, emphasizing defense-in-depth strategies. Several comments delve into the technical details of entropy estimation and the challenges of accurately measuring it. A few users also mention specific examples of vulnerabilities related to insufficient entropy, like Debian's OpenSSL bug. The overall sentiment suggests that while these attacks aren't always easily exploitable, understanding and mitigating them is crucial for robust security.

  The Hacker News post titled "Entropy Attacks" links to a blog post by Daniel J. Bernstein on entropy estimation. The discussion in the comments section revolves around the complexities and nuances of entropy estimation, particularly in the context of cryptographic systems. Several commenters engage with the technical details presented in Bernstein's post.

  One commenter highlights the difficulty of estimating entropy accurately, especially when dealing with real-world sources that might not exhibit ideal randomness. They mention the "haveged" program as an example of a tool attempting to generate entropy from hardware events, but acknowledge the challenges in ensuring its true randomness.

  Another commenter delves into the distinction between Shannon entropy and min-entropy, emphasizing that cryptographic operations rely on min-entropy for security. They point out that measuring min-entropy is inherently more difficult than measuring Shannon entropy.

  The idea of "compressing" randomness into a smaller, higher-entropy form is also discussed. Commenters explain that while it's possible to extract a shorter, more uniformly random string from a longer, less random one, this process doesn't magically create entropy. The output's entropy is fundamentally limited by the input's entropy.

  One comment specifically references the use of cryptographic hash functions as randomness extractors. They explain how these functions can transform a source with uneven entropy distribution into a more uniformly random output, suitable for cryptographic keys.

  A few commenters touch upon the practical implications of entropy estimation in system security. They acknowledge the difficulty of achieving truly random numbers in software and mention hardware random number generators (RNGs) as a more reliable source. They also discuss how insufficient entropy can lead to vulnerabilities in security systems.

  Finally, some comments offer further reading on related topics, such as the NIST publication on entropy sources and various academic papers on randomness extraction. Overall, the comments section provides valuable insights and perspectives on the challenges of entropy estimation and its crucial role in cryptography.

• Make Ubuntu packages 90% faster by rebuilding them

  permalink

  Posted: 2025-03-18 23:55:17

  Verbose tl;dr

  Rebuilding Ubuntu packages from source with sccache, a compiler cache, can drastically reduce compile times, sometimes up to 90%. The author demonstrates this by building the Firefox package, achieving a 7x speedup compared to a clean build and a 2.5x speedup over using the system's build cache. This significant performance improvement is attributed to sccache's ability to effectively cache and reuse compilation results, both locally and remotely via cloud storage. This approach can be particularly beneficial for continuous integration and development workflows where frequent rebuilds are necessary.

  The post "Make Ubuntu packages 90% faster by rebuilding them" explores a significant performance improvement achieved by rebuilding Ubuntu Debian packages using a modified configuration. The author, frustrated by the slow build times of certain packages, specifically gcsfuse, observed that the default build process utilized a single core, severely underutilizing the available processing power of modern multi-core systems.

  The post then meticulously details the process of accelerating the build process. The core of the optimization lies in leveraging the DEB_BUILD_OPTIONS environment variable. By setting this variable to parallel=N, where N represents the desired number of concurrent build jobs (ideally matching the number of CPU cores), the compilation process can be parallelized. This modification instructs the build system, specifically dpkg-buildpackage, to utilize multiple cores during the compilation and linking stages, dramatically reducing the overall build time.

  The author showcases the remarkable impact of this simple change. A rebuild of the gcsfuse package, which initially took an hour and a half, completed in a mere ten minutes after implementing the parallelization. This represents an approximately 90% reduction in build time. Furthermore, the post demonstrates how to make this optimization permanent by setting the DEB_BUILD_OPTIONS variable within the user's shell configuration file (e.g., .bashrc or .zshrc). This ensures that all future builds automatically benefit from parallel processing.

  The post concludes by emphasizing the ease and effectiveness of this optimization, suggesting that it could significantly improve the development workflow for anyone building Debian packages on multi-core systems. The author also notes the potential for further performance gains by exploring other compiler flags and build optimizations, although these are not explored within the post itself. The provided example focuses on a specific package, gcsfuse, but the technique is applicable to any Debian package built with tools like dpkg-buildpackage that respect the DEB_BUILD_OPTIONS variable.

  • Ubuntu
  • Packages
  • build process
  • optimization
  • performance
  • Speed
  • Rebuilding
  • Linux
  • Debian
  • Software Development
  • dpkg
  • APT

  Summary of Comments ( 10 )
  https://news.ycombinator.com/item?id=43406710

  Verbose tl;dr

  Hacker News users discuss various aspects of the proposed method for speeding up Ubuntu package builds. Some express skepticism, questioning the 90% claim and pointing out potential downsides like increased rebuild times after initial installation and the burden on build servers. Others suggest the solution isn't practical for diverse hardware environments and might break dependency chains. Some highlight the existing efforts within the Ubuntu community to optimize build times and suggest collaboration. A few users appreciate the idea, acknowledging the potential benefits while also recognizing the complexities and trade-offs involved in implementing such a system. The discussion also touches on the importance of reproducible builds and the challenges of maintaining package integrity.

  The Hacker News post "Make Ubuntu packages 90% faster by rebuilding them" generated a significant discussion with several compelling comments exploring various facets of the proposed speed improvements.

  Several commenters focused on the reproducibility aspect. One user questioned the reproducibility of builds using ccache given its potential to mask underlying issues that might manifest differently on different systems. This concern stemmed from the idea that while ccache might speed up builds, it could also hide bugs that would otherwise be caught during a clean build. Another commenter echoed this sentiment, emphasizing the importance of clean builds for verifying package integrity and catching errors. They also highlighted the inherent tension between build speed and ensuring correct and reproducible builds across diverse environments.

  Another thread of conversation revolved around the technical details of the proposed speed improvements. One commenter inquired about the specific changes implemented to achieve the 90% speed increase, prompting the original poster (OP) to provide more context. The discussion delved into the mechanics of ccache and how it leverages caching mechanisms to accelerate compilation times. This technical exchange shed light on the underlying principles enabling the performance gains.

  The practicality and applicability of the proposed changes were also discussed. One commenter questioned whether the changes would be upstreamed, given the potential benefits for a wider audience. This prompted a conversation about the challenges and considerations involved in integrating such changes into the broader Ubuntu ecosystem. Further discussion focused on the trade-offs between build speed and resource consumption, specifically memory usage. Some users raised concerns about the potential impact on systems with limited resources, while others argued that the benefits outweighed the drawbacks.

  Finally, some comments focused on alternative approaches and existing best practices. One commenter mentioned that using ccache is already a common practice within the community and suggested that the observed speed improvements might not be entirely novel. Another commenter pointed out the importance of distributing build processes to further enhance performance, especially for larger projects. These comments provided valuable context and expanded the discussion beyond the specific approach presented in the original post.