Re: [Dev] Fwd: First Reproducible Builds Summit

[Isaac David]

Le jeu. 10 déc. 2015 à 9:16, Denis 'GNUtoo' Carikli 
 a écrit :

[Arch Linux](https://www.archlinux.org/),
What is its status?


It wasn't promising last time fauno forwarded an email by Allan McRae 
from the Arch mailing lists:

https://lists.parabola.nu/pipermail/dev/2015-August/003182.html
___
Dev mailing list
Dev@lists.parabola.nu
https://lists.parabola.nu/mailman/listinfo/dev

Re: [Dev] Fwd: First Reproducible Builds Summit

[Josh Branning]

On 10/12/15 19:42, Isaac David wrote:



Le jeu. 10 déc. 2015 à 9:16, Denis 'GNUtoo' Carikli 
a écrit :

[Arch Linux](https://www.archlinux.org/), What is its status?


It wasn't promising last time fauno forwarded an email by Allan McRae
from the Arch mailing lists:
https://lists.parabola.nu/pipermail/dev/2015-August/003182.html


___
Dev mailing list
Dev@lists.parabola.nu
https://lists.parabola.nu/mailman/listinfo/dev



I guess if people have enough time, it's still worth pursuing. The 
people at Debian had issues getting as far as they did too.


https://duckduckgo.com/html/?q=debian%20timestamp%20bug%20reproducible

(ironically, I had issues searching their www bug-tracker interface)

Personally, I'd be happy even if just the packages that create the iso 
were reproducible, the rest could be built by the user from source (and 
a local repository).


Of course it is easy for me to say this, but I don't actively develop 
parabola.


But if I get round to it, I will have a go. I would like to try the 
cross-compiling route at some point anyway. That's unless someone beats 
me to it. ;)



Josh
___
Dev mailing list
Dev@lists.parabola.nu
https://lists.parabola.nu/mailman/listinfo/dev

Re: [Dev] Fwd: First Reproducible Builds Summit

[Josh Branning]

   First Reproducible Builds Summit



I met a few people who were there, and they were quite happy about how
it went.  I'm eager to meet with Lunar and learn more about the current
status of Debian reproducible builds.

Any plan for Parabola?


It's something I would like to see too. Ideally an operating system like 
parabola could be built from source and then verified, although that's a 
pretty big ask.


I notice there is a nice script (dagpkg) for building packages. Perhaps 
it would be useful for not only automated builds, but reproducible ones too?


I recently found a nice vendor-neutral website about reproducible builds 
[1]. It says about setting the build environment, including:


specific operating system (if cross-compiling is not supported)

and

build system architecture (if cross-compiling is not supported)

If it is possible to cross-compile the packages that make up the 
Parabola ISO, then the whole operating system could perhaps be built, 
then verified by a completely different system. This would help to give 
users migrating to Parabola more peace of mind over the security of the OS.


I know Parabola is not (Cross) Linux From Scratch, but pacman can 
theoretically work on other operating systems, and to me it looks like 
the potential there for users to be able to compile the whole OS (and 
perhaps verify) on many other major platforms.


Also, if users are able to build, in bulk, the Parabola packages like 
this, it would help those with limited or no internet connection(s) for 
people less well off, and could provide a robust way of allowing a quick 
restart development if (heaven forbid) the project were to cease.



Josh


[1] https://reproducible-builds.org/docs/
___
Dev mailing list
Dev@lists.parabola.nu
https://lists.parabola.nu/mailman/listinfo/dev

Re: [Dev] Fwd: First Reproducible Builds Summit

[hellekin]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 12/09/2015 12:37 PM, fauno wrote:
> 
> fyi
> 
> 
> 
>   First Reproducible Builds Summit
> 

I met a few people who were there, and they were quite happy about how
it went.  I'm eager to meet with Lunar and learn more about the current
status of Debian reproducible builds.

Any plan for Parabola?

==
hk

-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJWaZJeXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQ0IyNkIyRTNDNzEyMTc2OUEzNEM4ODU0
ODA2QzM2M0ZDMTg5ODNEAAoJEEgGw2P8GJg9c7IP/0DVBcGtV6Bo9h69aOUdwxsA
TJj8DkOQVPgtafjdteDHnKPcErNnKU4ZPPp/Szeql2IBHVOVorMVzKEDhviDkqJu
MCAD9x0ZdhN130B+qECBISl94wXdDTduNQ6XPd4Qu3s/R7ltvF8nvUeiSVwjXHaC
dtTiFWin5SUVKsGdVP6/d7JLt9udVVMaJmojnSEOXWeIJRHuPKxJqHaA0upj0kly
0elp5z+9/B2OaNxfcZvAEVyOB71LxyYbKuJgxn62Rfpc8lhtPjLSsIDVlQLlSp9C
3+w9R42AYwDvr/jxQsrd0AkiWO8mlKN2AGT/mCgNDF25p3cxADedvCz8wlWilTAH
YYUYC8stK6EPN2roCob/1Zml+XVxktdWqRjy/DGZq6mLPF84ZE0NJRGiK3P9y1jc
3/HSVZ8hAAjrhKHmujFFJMdY/iAiFXVfjmtwyxJhFqPStHYqDKLHeoTdXP349MLo
yx23Q9U71RMSnsJEDdX8NKzCtf2Kjt6i8F5ofiCAaR+eP+bDuu/8sjKS/gRX3+3I
1l5ezK+tHXtCQakQLKmenFmn1WIxaChTvNsYQWKLJv++nupc7/Li2ND9E+X79pUE
zSjoSmKIP7AMOPhAliZ/jy1oait/nJmbQrFpsEx8X5Wl/uGf7HlhRxO5vSz/0sLN
tIXb2l0pu3tAyBNAaa3e
=Kpum
-END PGP SIGNATURE-
___
Dev mailing list
Dev@lists.parabola.nu
https://lists.parabola.nu/mailman/listinfo/dev

Re: [Dev] Fwd: First Reproducible Builds Summit

[Denis 'GNUtoo' Carikli]

Hi,

Does that mean that parabola has some interest in reproducible builds?
Is there some plans to tackle the problem?

As I understand it, unlike other distributions that have a single point
of failure, that is, their build infrastructure, we do have to trust:
-> Every single package maintainer from parabola
-> Every single package maintainer from arch as we use most of their
   stock packages
-> The machine and the software involved in the creation of the
   packages, including arch developers who probably run non-free
   software on their developer's machines.

Since parabola suits really really very well, and that I value freedom
over security, I still do use Parabola.
Adapting to Trisquel was too painful for me.

>  Start of forwarded message 
[...]
> 
> First Reproducible Builds Summit
> 
> 
> https://guardianproject.info/2015/12/09/first-reproducible-builds-summit/
> 
> I was just in Athens for the “[Reproducible Builds
> Summit](https://reproducible-builds.org/events/athens2015/)“, an
> [Aspiration](https://aspirationtech.org/)-run meeting focused on the
> issues of getting all software builds to be reproducible. This means
> that anyone starting with the same source code can build the *exact*
> same binary, bit-for-bit. At first glance, it sounds like this
> horrible, arcane detail, which it is really. But it provides tons on
> real benefits that can save lots of time. And in terms of
> programming, it can actually be quite fun, like doing a puzzle or
> sudoku, since there is a very clear point where you have “won”.
> 
> Here are some examples of real benefits:
[...]
Well, there are even more benefits, if we get that into parabola, you
can then debug parabola.
Right now we have no debug symbols. That would not be a problem anymore,
as you would be able to generate them afterward.
The user would just recompile the package with debug enabled to get
such symbols. The sha512sum of this package binaries would still match.

> Google,
Was it because of chromeOS and chromebooks?
I see a point in getting chromeOS boot firmware reproducible, that
would make the point that you can have a secure and free software boot
firmware.
I'm not saying that their always is 100% free software. Usually they
use coreboot with vendor blobs.

[Arch Linux](https://www.archlinux.org/),
What is its status?

> [Coreboot](https://www.coreboot.org/),
Here that's really interesting. It will also make it into next
libreboot release.
Let's imagine your laptop get modified during shipping and a modified
coreboot/libreboot image is built and reflashed.
Now with an external programmer you can detect that:
Dumping the flash from the same laptop you want to verify may not give
you the real content of the flash (the hardware makes it way to easy to
give back a modified image).
So Dumping the flash externally and building the same image makes it
possible to check if there was any modification.

> [Guix](https://www.gnu.org/software/guix/) package manager
As I understand it's not as stable (bug free, usable) as Parabola yet.

If Arch becomes reproducible, we definitely want to get reproducible
too. That would permit us to check the arch packages, and to get debug
symbols easily.

Given that, in Parabola community, 100% free system are more commons,
and that they can be verified as stated above, the benefit would be
really great.

Let's not have the dilemma of having to choose between:
-> security and not-100% free distributions.
-> Freedom and insecure distributions.

Denis.


pgpiAU73b_CgZ.pgp
Description: OpenPGP digital signature
___
Dev mailing list
Dev@lists.parabola.nu
https://lists.parabola.nu/mailman/listinfo/dev