Time to bring back the reproducible build hype
Why didn’t this become a thing? Surely in 2024, we should be able to build packages from source and sign releases with a private key.
Won’t help here; this backdoor is entirely reproducible. That’s one of the scary parts.
The backdoor wasn’t in the source code, only in the distributed binary. So reproducible builds would have flagged the tar as not coming from what was in Git
Reproducible builds generally work from the published source tarballs, as those tend to be easier to mirror and archive than a Git repository is. The GPG-signed source tarball includes all of the code to build the exploit.
The Git repository does not include the code to build the backdoor (though it does include the actual backdoor itself, the binary “test file”, it’s simply disused).
Verifying that the tarball and Git repository match would be neat, but is not a focus of any existing reproducible build project that I know of. It probably should be, but quite a number of projects have legitimate differences in their tarballs, often pre-compiling things like autotools-based configure scripts and man pages so that you can have a relaxed ./configure && make && make install
build without having to hunt down all of the necessary generators.
The back door is not in the source code though, so it’s not reproducible from source.