Opened at 2013-08-08T21:34:04Z
Last modified at 2014-09-11T22:24:02Z
#2057 new enhancement
reproducible builds
| Reported by: | leif | Owned by: | daira |
|---|---|---|---|
| Priority: | normal | Milestone: | undecided |
| Component: | packaging | Version: | 1.10.0 |
| Keywords: | install security eggs | Cc: | |
| Launchpad Bug: |
Description (last modified by zooko)
It would be good to have the official packages of Tahoe and all of its dependencies built using Gitian.
From http://gitian.org/:
Gitian uses a deterministic build process to allow multiple builders to create identical binaries. This allows multiple parties to sign the resulting binaries, guaranteeing that the binaries and tool chain were not tampered with and that the same source was used. It remove the build and distribution process as a single point of failure.
XXX This description may be obsolete as this ticket evolves -- please read the comments and maybe we'll update this description if we converge on an idea of what the issue is.
Change History (7)
comment:1 Changed at 2013-08-08T21:34:50Z by leif
- Type changed from defect to enhancement
comment:2 Changed at 2013-08-08T23:34:42Z by daira
comment:3 Changed at 2013-08-23T15:04:22Z by leif
This LWN article contains some worthwhile links on the subject.
comment:4 follow-up: ↓ 6 Changed at 2013-08-31T13:41:39Z by zooko
I love the idea of reproducible builds! It allows everyone to help everyone else in identifying bugs, backdoors, etc. With reproducible builds, the work that individuals, organizations, or companies put into verifying the software they use benefits all other users of that software.
Now, Tahoe-LAFS itself doesn't contain any native (C/C++) code that needs to be compiled. Do we even need to do anything to make this "deterministic build" idea happen? Or is it somebody else's problem?
Who downloads and installs Tahoe-LAFS, and how do they do that, and how can the make sure that they're getting the same thing that other users of Tahoe-LAFS get?
Well, here's an example, Debian:
http://packages.debian.org/search?keywords=tahoe+lafs&searchon=names&suite=all§ion=all
How can a Debian user test whether http://ftp.us.debian.org/debian/pool/main/t/tahoe-lafs/tahoe-lafs_1.9.2-1_all.deb matches the same "tahoe-lafs_1.9.2-1_all.deb" that would be built by someone else from the same source?
Here is Debian's wiki page on reproducible builds:
https://wiki.debian.org/ReproducibleBuilds
By the way, Tahoe-LAFS's dependencies could contain bugs, backdoors, surprising enhancements or regressions, etc. To help everyone think clearly about this, let's move all discussion of dependencies (including zfec and pycryptopp, of which we are also the maintainers) to separate tickets specific to the dependencies.
So, what's the next step on this? Maybe we could ask the Debian Reproducible Build team to make Tahoe-LAFS be a test case for their new process, and we could collaborate with them?
Are there other packagers who are trying to solve this problem with whom we could collaborate?
comment:5 Changed at 2013-08-31T13:44:16Z by zooko
- Description modified (diff)
- Summary changed from deterministic builds using gitian to reproducible builds
P.S. The original description and title said it would be good to have the official packages of Tahoe-LAFS and all of its dependencies built using gitian, but I have a few problems with that. First, there aren't official packages of Tahoe-LAFS. Second, I don't understand why gitian is either necessary or sufficient for the goal of reproducible build, and I don't like what little I understand of its approach, which is virtual-machine-based.
comment:6 in reply to: ↑ 4 Changed at 2013-09-01T05:34:20Z by daira
Replying to zooko:
So, what's the next step on this? Maybe we could ask the Debian Reproducible Build team to make Tahoe-LAFS be a test case for their new process, and we could collaborate with them?
+1
comment:7 Changed at 2014-09-11T22:24:02Z by warner
- Component changed from unknown to packaging
Sounds good to me!