
Lots of progress for Debian's reproducible builds - edward
https://lwn.net/Articles/630074/
======
swills
Why the re-post?

[https://news.ycombinator.com/item?id=8950292](https://news.ycombinator.com/item?id=8950292)

~~~
edward
Debconf15 is happening right now. Here is a video with details of the latest
progress: (warning 2.1G)

[http://meetings-archive.debian.net/pub/debian-
meetings/2015/...](http://meetings-archive.debian.net/pub/debian-
meetings/2015/debconf15/Stretching_out_for_trustworthy_reproducible_builds_creating_bit_by_bit_identical_binaries.webm)

Sorry, I didn't realise it had been posted before.

------
kragen
Unfortunately neither the excellent LWN article nor the comment thread so far
talk about the main benefit of reproducible builds, which is security, at
least potentially. If you're running an irreproducible build of some piece of
software in your user account, you're running on _hope_ that the person who
compiled that software didn't have malware on their machine that inserted a
backdoor into the software. Reproducible building makes that kind of attack
enormously more difficult: not only does the attacker need to insert the same
backdoor on the machines of all the developers who are reproducing the build,
but now the malware is almost certain to be detected, sooner or later. Coupled
with diverse double-compiling, reproducible build processes can even detect
the Thompson attack.

The big push for reproducible builds came in the wake of the Snowden evidence
that the NSA was specifically and systematically attacking the machines of
system administrators in order to gain access to the machines they controlled.
Debian and Tor developers should logically be even bigger attack targets.

------
qznc
If you consider the effort required for this, I always wonder how reproducible
the things in Docker or NixOS really are.

~~~
chriswarbo
Debian wasn't built with reproducibility in mind, whilst NixOS was.
"Backporting" features to existing systems is monotonically harder than
building a new system with that feature, since we have more constraints.

Even if, hypothetically, it were trivial for NixOS to obtain perfect
reproducibility, that doesn't necessarily help with making Debian reproducible
in a backwards-compatible way.

~~~
EmanueleAina
Honest question: is NixOS really doing reproducible builds, where you get
byte-identical binaries when rebuilding from source?

I only found this issue on the Tor tracker, and apparently NixOS does not
produce reproducible builds in the same way as intended by Debian:
[https://trac.torproject.org/projects/tor/ticket/12520](https://trac.torproject.org/projects/tor/ticket/12520)

~~~
chriswarbo
The _aim_ is to have such reproducible builds, for example builds are always
performed with the system clock set to 1 second after the Unix epoch. The
reality varies from package to package; reproducibility problems are counted
as bugs, but as always there's a cost/benefit decisions about fixing them.

------
ZenoArrow
Please correct me if I'm wrong, but wouldn't reproducible builds eventually
cut down on the work of package maintainers for Linux distros? Looking from my
outside perspective, once you get the packages building reproducibly the work
to maintain them is reduced (especially if you can pass the responsibility for
packaging to the developer). Couple that with a build-time test suite and the
work becomes even less of a burden.

I hope this is the case, as I believe that one thing that holds Linux/BSD back
from further refinement is the workload involved to maintain packages.

~~~
EmanueleAina
I don't think so. Reproducible builds means that compiling the binary packages
results in byte-by-byte identical copies, even when done on different machines
at different times: the packaging sources do not get any simpler (to the
contrary, they may get slightly more complex due to additional concerns).

The XDG App effort to produce standardized runtimes and isolated applications
is probably what you're looking for, but it is completely orthogonal to
reproducible builds as runtimes for XDG App can be built in a multitude of
ways, eg. with pre-built distribution packages (reproducible or not).

------
nextos
So this is sort of like lightweight nix in some aspects, without giving up on
dynamic linking?

~~~
davexunit
Nix doesn't give up on dynamic linking.

~~~
nextos
Care to explain this? My very newbish view of it was that every package is
compiled against dependencies that are cryptographically hashed and it's
totally bound to them.

They even try to link mutt to a particular version of gpg, which is a bit
extreme as mutt calls gpg via shell so the interface between both is really
really loose.

That said I really like nix.

~~~
digi_owl
I'm speculating here, but it seems like a case of missing the forest for the
trees.

Yes they still use dynamic linking in the technical sense, as the libs are not
folded into the resulting binary.

But they miss the spirit (or raison d'etre if you will) of dynamic linking by
making hashing part of the linker requirements.

Its something that seems to crop up more and more in the Linux world these
days.

~~~
nextos
That's exactly what I meant. Thanks for putting it in clearer words.

------
jbb555
Now all they have to do is figure out how to build debian without systemd in
and I might consider using it again.

~~~
belorn
The debian installer has a boot prompt option to install sysvinit, or if you
want to be lazy, just install the sysvinit-core package and have the package
manager uninstall systemd after first boot.

