Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20130924162513.GA3173@lonestar>
Date: Tue, 24 Sep 2013 21:55:13 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: oss-security@...ts.openwall.com
Subject: Reproducible Builds for Fedora

Hi,

I have been working on having Reproducible Builds in Fedora for some
time.

At this point, I think I have something demoable. Ensuring Reproducible
Builds is a big task and I want your feedback, ideas, code and support.

Please see https://github.com/kholia/ReproducibleBuilds for details.

I would like to thank Debian and Ubuntu folks for starting similar
projects (and inspiring this work).

Reproducible Builds
===================

It should be possible to reproduce every build of every package in
Fedora.

We want to be able to show that our binary was the result of our source
code from our compiler and nobody added anything along the way.

Can we (upstream / vendor) show that one of our rpms was built from the
source we ship?

It should be possible for the users to verify that the binary matches
what the source intended to produce, in an independent fashion. We (the
distribution provider) shouldn't be forced to say "Trust Us" to our
users at all.

Steps Involved
==============

* Recording the build environment (DONE)

  - Koji does this automatically :-)

* Re-producing the build environment (DONE)

  - Retrieve "brootid" (buildrootID) corresponding to the NVR we want to
    test from Koji (DONE)

  - Replicate this buildroot (DONE)

  - Create replica build environment using "Mock" (DONE)

* Do re-builds locally using mock (DONE)

* Verify new build against upstream (DONE, Steve's script works great)

Current State
=============

* Packages like git, john and qpdf are 100% reproducible as far as code
  is concerned :-)

*  We also support "Recursive Verification". For example, if building
   "Z" requires installing "Y" RPM, then, once we have verified that Z
   is OK, we can ask our tool to verify "Y" too and so on.

Current Challenges
==================

See http://tinyurl.com/ReproducibleBuildsProblems

* python-epydoc will add timestamps to the HTML file it produces (
  needs FIXING).

* javadoc will add timestamps to the HTML file it produces (needs
  FIXING).

Links
=====

https://wiki.debian.org/ReproducibleBuilds

http://fedoraproject.org/wiki/Releases/FeatureBuildId#Unique_build_ID

http://blogs.kde.org/2013/06/19/really-source-code-software

https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise

https://trac.torproject.org/projects/tor/ticket/5837

https://trac.torproject.org/projects/tor/ticket/3688

http://bazaar.launchpad.net/~ubuntu-security/ubuntu-security-tools/trunk/files/head:/package-tools/

-- 
Dhiru

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.