问HN:我们能在多大程度上信任开源项目或我们的硬件?
对于像Kali Linux这样的大型开源安全项目,我们被告知没有后门,但在数百万行代码的情况下,我们如何能够实际验证这一点呢?对于大多数个人来说,全面的手动审计并不可行。
一些思考/问题:
可重复构建和供应链审计是否足以信任二进制文件?
在如此庞大的代码库中,有哪些策略可以用来发现微妙的后门?
对于硬件,您如何应对固件、微代码或隐藏子系统(例如Intel ME、AMD PSP)被攻破的风险?
像Coreboot、Heads或经过正式验证的内核这样的项目在实践中是否真正降低了这种风险?
除了自己阅读每一行代码,还有什么更好的方法来建立信心?
您个人对开源安全项目或商品硬件的信任程度(百分比)是多少?您使用了哪些技术措施来最小化盲目信任?
查看原文
For large open-source security-focused projects like Kali Linux, we’re told there are no backdoors but with millions of lines of code, how can we actually verify that? Full manual auditing isn’t feasible for most individuals.<p>Some thoughts/questions:<p>Are reproducible builds and supply-chain audits enough to trust the binaries?<p>What strategies exist for spotting subtle backdoors in such large codebases?<p>For hardware, how do you approach the risk of compromised firmware, microcode, or hidden subsystems (e.g. Intel ME, AMD PSP)?<p>Do projects like Coreboot, Heads, or formally verified kernels meaningfully reduce this risk in practice?<p>Beyond reading every line yourself, what’s the best way to build confidence?<p>How much trust (percentage-wise) do you personally put in OSS security projects or commodity hardware, and what technical mitigations do you use to minimize blind trust?