If you use a binary distribution, you're already owned

Forget the days of hunting for exploits and probing for attack vectors.

The big boys have automated software systems for quickly identifying whole classes of exploits in software binaries, and frameworks for automatically generating rootkits using SAT/SMT solvers, concolic testing and attack synthesis. In a matter of minutes, they can have a print out of all of the exploits they can use, and software already to go to own your ass.

How the hell are you supposed to protect against this? Why are so many idiot project maintainers chasing after reproducible builds when this is exactly the type of shit the big boys love? Why aren't the major compiler projects invested in developing SMT-based code generators that can create different permutations of programs from random seeds that can possibly thwart this?

>>12
they do, but do you have a proof of SMT being used to find and exploit vulnerabilities in practice? academic breakthroughs and the idea that this could potentially be used for exploitation isn't a proof that:
1. we know how to use that for exploitation
2. we have hardware that can use that for exploitation
3. we know how to use that for quick, universal and completely automated exploitation of low level vulnerabilities
4. we have hardware that can use that for quick, universal and completely automated exploitation of low level vulnerabilities
5. doing that is cheaper, more efficient, more reliable and/or faster than just hiring good hackers
6. anyone would do all that to exploit low-level bugs instead of starting with high-level stuff and crypto shit which is often easier to exploit and more reliable due to platofrm independence
7. probabilistic compilation will save you from any of this shit