Software transparency: package security beyond signatures and reproducible builds

Speaker: Benjamin Hof

Track: Security

Type: Long talk (45 minutes)


Room: Yushan (玉山) Live Stream

Time: Jul 29 (Sun), 11:00

Duration: 0:50

Current package distribution security is based on cryptographic signatures. We propose to extend the current release file signature mechanism with an architecture offering protection against targeted backdoors by a compromised archive.

This project introduces a Merkle tree-based transparency log for package meta data and source code, similar to certificate transparency. In our system, the APT client verifies that it installs the same binary package as everybody else. Utilising reproducible builds, we further ensure that the source code and buildinfo corresponding to that binary can be retrieved.

We explain parts of our prototype and show the results of replaying two years of Debian updates.