Reproducible Builds

From ParabolaWiki
Jump to: navigation, search


"Reproducible builds" or "deterministic compilation" are umbrella terms for initiatives spearheaded initially by BitCoin and TorBrowser, then shortly afterward by Debian, FreeBSD, Nix, and Guix. Over the years, they were joined by several other prominent distributions and software projects such as ArchLinux, CoreBoot, F-Droid, Fedora, and OpenSuse to form a loose coalition, each working in their own way to provide this security feature to their users. Although the idea has been around for quite some time (GNU accomplished this for their tool-chain in the early 1990s), only in recent years has it been seriously considered that an entire operating system could and should be made to such strict tolerances.

From the Reproducible Builds website:

 Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, so that anyone can verify that a given binary derived from the source it was said to be derived. There is a lot more information about reproducible builds on the Debian wiki and on https://tests.reproducible-builds.org. The wiki explains in more depth why this is useful, what common issues exist and which workarounds and solutions are known.

Reproducible Parabola is an effort to apply this to Parabola GNU/Linux-Libre. NOTE: The public documentation for this project is in the initial stage; and the previous link is currently a placeholder for where the parabola build status would eventually be shown. In order to be recognized as a fully participating project, the following 'TODO' items should be completed:


1 DOCUMENTATION TODO:

The following items should be described on this wiki:

1.1 explain the tooling and process by which parabola is achieving reproducible builds

?


1.2 calculate or estimate the ratio of currently reproducible packages vs. those not yet reproducible

?


1.3 describe any significant obstacles

?


1.4 finally, remove the placeholder 'NOTE' sentence and the 'DOCUMENTATION TODO' heading above



2 IMPLEMENTATION TODO:

The following items have been suggested by the reproducible-builds team as high-priority tasks for arch and parabola:

2.1 integrate with the reproducible-builds jenkins server

this is to demonstrate that parabola packages can be built and verified by a third-party - the results are continuously displayed on the reproducible-builds.org website (the dead 'Reproducible Parabola' link above) once the reproducible-builds team is satisfied that parabola is making reasonable progress - arch is already integrated so parabola should already fit in nicely



2.2 make pacman produce reproducible builds

this task is mostly completed - arch developer 'anthraxx' has a patch on github that is awaiting practical tests via the debian PR jenkins infrastructure


3 How to get involved

  • /join #parabola on irc.freenode.net
  • /join #archlinux-reproducible on irc.freenode.net
  • /join #reproducible-builds on irc.oftc.net
  • subscribe to the parabola-dev mailing list
  • subscribe to the reproducible-builds mailing list
  • discuss or complete some of the 'TODO' items notes above
  • learn how to make existing software build deterministically
  • select a parabola package that is not yet reproducible and work on it