[Dev] Fwd: First Reproducible Builds Summit

Denis 'GNUtoo' Carikli GNUtoo at no-log.org
Thu Dec 10 15:16:58 GMT 2015


Does that mean that parabola has some interest in reproducible builds?
Is there some plans to tackle the problem?

As I understand it, unlike other distributions that have a single point
of failure, that is, their build infrastructure, we do have to trust:
-> Every single package maintainer from parabola
-> Every single package maintainer from arch as we use most of their
   stock packages
-> The machine and the software involved in the creation of the
   packages, including arch developers who probably run non-free
   software on their developer's machines.

Since parabola suits really really very well, and that I value freedom
over security, I still do use Parabola.
Adapting to Trisquel was too painful for me.

> -------------------- Start of forwarded message --------------------
> First Reproducible Builds Summit
> ================================
> https://guardianproject.info/2015/12/09/first-reproducible-builds-summit/
> I was just in Athens for the “[Reproducible Builds
> Summit](https://reproducible-builds.org/events/athens2015/)“, an
> [Aspiration](https://aspirationtech.org/)-run meeting focused on the
> issues of getting all software builds to be reproducible. This means
> that anyone starting with the same source code can build the *exact*
> same binary, bit-for-bit. At first glance, it sounds like this
> horrible, arcane detail, which it is really. But it provides tons on
> real benefits that can save lots of time. And in terms of
> programming, it can actually be quite fun, like doing a puzzle or
> sudoku, since there is a very clear point where you have “won”.
> Here are some examples of real benefits:
Well, there are even more benefits, if we get that into parabola, you
can then debug parabola.
Right now we have no debug symbols. That would not be a problem anymore,
as you would be able to generate them afterward.
The user would just recompile the package with debug enabled to get
such symbols. The sha512sum of this package binaries would still match.

> Google,
Was it because of chromeOS and chromebooks?
I see a point in getting chromeOS boot firmware reproducible, that
would make the point that you can have a secure and free software boot
I'm not saying that their always is 100% free software. Usually they
use coreboot with vendor blobs.

[Arch Linux](https://www.archlinux.org/),
What is its status?

> [Coreboot](https://www.coreboot.org/),
Here that's really interesting. It will also make it into next
libreboot release.
Let's imagine your laptop get modified during shipping and a modified
coreboot/libreboot image is built and reflashed.
Now with an external programmer you can detect that:
Dumping the flash from the same laptop you want to verify may not give
you the real content of the flash (the hardware makes it way to easy to
give back a modified image).
So Dumping the flash externally and building the same image makes it
possible to check if there was any modification.

> [Guix](https://www.gnu.org/software/guix/) package manager
As I understand it's not as stable (bug free, usable) as Parabola yet.

If Arch becomes reproducible, we definitely want to get reproducible
too. That would permit us to check the arch packages, and to get debug
symbols easily.

Given that, in Parabola community, 100% free system are more commons,
and that they can be verified as stated above, the benefit would be
really great.

Let's not have the dilemma of having to choose between:
-> security and not-100% free distributions.
-> Freedom and insecure distributions.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20151210/6ceb49f6/attachment.sig>

More information about the Dev mailing list