[Dev] Goals/direction for the coming year

Nicolás A. Ortega deathsbreed at themusicinnoise.net
Fri Mar 31 11:52:23 GMT 2017

>  - Reproducible builds
>    Last year at LibrePlanet I attended h01ger's talk on reproducible
>    builds.  I went in with the attitude that reproducible builds were
>    nice, but that Parabola would never have them.  But I came out
>    thinking "Parabola will be reproducible by next LibrePlanet."  That
>    didn't happen, because I'm a lazy fuck.
>    This involves doing a better job of tracking exactly what source
>    went in to a package.  I have the necessary changes to libretools
>    already planned.
>    As far as enforcing reproducible builds (which would be the *very*
>    last step), I was thinking that it should require the package to be
>    built 3 different times: 2 by build servers, and once by a human.
>    This also means we need to redo db-cleanup to not prune packages
>    mentioned in any current package's `.BUILDINFO`.

I have heard a lot about reproducible builds as of lately, however I
fail to see how effective it would actually be against the issue they
are trying to solve, especially considering the extremely low risk of
the issue existing to begin with. There is a blog post that I believe
does a good job at summarizing the issue[0] (if you can get passed all
of the smart-ass remarks).

My own criticism of it is that it creates the ironically named "chicken
or the egg" paradox[1]. How so? Well, how do we know that our checksum
tool isn't backdoored either? In fact, that would be quite a more simple
solution. What's more, what about the compiler's compiler? And the
compiler of that compiler? Another solution (which wouldn't be as costly)
would be to reverse engineer the binary (yes, reverse engineering free
software). If all else fails, the only actual solution to the
*extremely* unlikely chance that these technologies have been
recursively backdoored would be to write a compiler in straight up
machine code (nope, not assembly, the assembler could be backdoored).
Who knows, maybe your editor is backdoored too, time to deal with the
wires directly.

I feel that lots of energy and time is being put into reproducible
builds, something that are vulnerable to the very issue they claim to
solve, when in reality there are much more important issues that can be
solved when it comes to security (like maybe using BitMessage instead of
e-mail, or at least adding a BitMessage chan since BitMessage is much
more anonymous).

If I am missing something about reproducible builds that makes them
important then I would like to know. But from what I have heard and read
it's a rather insubstantial fad. Again, please correct me if I am wrong.

[0] https://www.tedunangst.com/flak/post/reproducible-builds-are-a-waste-of-time
[1] https://en.wikipedia.org/wiki/Chicken_or_the_egg

Nicolás A. Ortega (Deathsbreed)
Public PGP Key:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20170331/ed823aad/attachment.sig>

More information about the Dev mailing list