Their build process sounds similar to Bitcoin Core's release process.<p>Bitcoin downloads dependencies, checks them against their preconfigured hashes and then builds the different versions (Windows, Linux, Mac) in different VMs. The build is deterministic and thus produce the exact same files for everybody. Everyone signs the files they produced and uploads the signature. If all the signatures are valid for the same file you can be reasonably sure that the build process wasn't tampered with.<p>Getting deterministic builds even for a project like Bitcoin Core with few dependencies was hard. On the scale of Qubes this would be a monumental task. But maybe Debian's initative for reproducible builds makes this easier in the future.
Anyone interesting in securing repo's or build systems should start with Wheeler's landmark collection on the topic:<p><a href="http://www.dwheeler.com/essays/scm-security.html" rel="nofollow">http://www.dwheeler.com/essays/scm-security.html</a><p>Has basics in English, CompSci work, high-assurance considerations, and some example projects. A bright, security researcher that's very familiar with DVCS's should redo this in light of them with similar recommendations. More like a team of bright researchers but it needs to be done. I'm interested in any papers people already have on this that have similarly-thorough treatment of threat model and proposed mitigations.<p>Once you know builds, you might want to address subversion, design, implementations, covert channels, and other things if you're trying to stop Five Eyes, Russia, or China. That requires "high-assurance" security methods... when it's even possible... Got a small list here to get people started on how deep the issue goes just at high-level and subversion aspects:<p><a href="https://news.ycombinator.com/item?id=10478742" rel="nofollow">https://news.ycombinator.com/item?id=10478742</a>