How does Julia stack up (to other languages)?
- Reproducible Builds:
Given the application’s source code, it should be possible to reproduce the distributed package exactly, down to contents that are known to vary benignly, such as build timestamps.
This property is important for auditing. A developer can sign both the source code and distributed binary package, but how does the user (or, more likely, a security auditor) know the source code actually represents the binary? […]
- Userbase Consistency Verification:
[…] These packages should be available permanently in a public record.
This is the most important of the three properties. Simply put: Everyone gets the same thing. If you can guarantee that everyone gets an identical copy of the software, then it becomes impossible to hide a targeted attack. If an attacker wants to backdoor one user’s software, they have to backdoor every user’s software. This greatly increases the attacker’s risk of being detected.
- Cryptographic Signatures:
The software package, source code, and patches (changes) should be cryptographically signed by the upstream software source (i.e. the developers).
I conjecture that these three properties, if implemented correctly, are sufficient to disincentivize both large-scale attacks (i.e. the NSA wants to put a vulnerability in everyone’s copy of Tor) and localized targeted attacks (i.e. the NSA wants to compromise a single user’s software download to take control of their system).
Having just two of these properties is not enough:
I believe Julia packages are excellent for reproducible builds (builds may be redundant here, as usually dealing with source code, but this may also apply to JLLs), with the Artifacts system. I still don’t know about “[build] timestamps”, or if applies.
For the second, most “most important”, property, that’s provided by Github (or e.g. Gitlab) but I don’t know about the 3rd point cryptographic signatures. Would it be up to e.g. Github, do they automatically make for you? It seems if Github were compromised then it wouldn’t be enough to have them in the same place, so is it up to the Julia registry? For Julia itself, they exist, and you kind of trust the Julia developers…
Not covered by this, is you actual main source file(s). That seems up to you, often such code is just internal, but sometimes distributed, not always in a package… so Julia systems (i.e. the registry) can’t protect you then, so might be an argument to register more code.
This could also get complicated with e.g. Python or R dependencies, PythonCall or PyCall and RCall, but I’m mostly thinking about Julia-only code, and JLLs. Feel free to comment a bit on other languages (even PHP), independently of Julia, or at least if you see issues specifically when used with Julia.
I found the above link at:
- We know it’s a solvable problem.
We had briefly introduced our complete solution when we announced that WordPress would cryptographically sign its automatic updates in 2019.