Re: [Dev] Fwd: First Reproducible Builds Summit
Le jeu. 10 déc. 2015 à 9:16, Denis 'GNUtoo' Cariklia écrit : [Arch Linux](https://www.archlinux.org/), What is its status? It wasn't promising last time fauno forwarded an email by Allan McRae from the Arch mailing lists: https://lists.parabola.nu/pipermail/dev/2015-August/003182.html ___ Dev mailing list Dev@lists.parabola.nu https://lists.parabola.nu/mailman/listinfo/dev
Re: [Dev] Fwd: First Reproducible Builds Summit
On 10/12/15 19:42, Isaac David wrote: Le jeu. 10 déc. 2015 à 9:16, Denis 'GNUtoo' Cariklia écrit : [Arch Linux](https://www.archlinux.org/), What is its status? It wasn't promising last time fauno forwarded an email by Allan McRae from the Arch mailing lists: https://lists.parabola.nu/pipermail/dev/2015-August/003182.html ___ Dev mailing list Dev@lists.parabola.nu https://lists.parabola.nu/mailman/listinfo/dev I guess if people have enough time, it's still worth pursuing. The people at Debian had issues getting as far as they did too. https://duckduckgo.com/html/?q=debian%20timestamp%20bug%20reproducible (ironically, I had issues searching their www bug-tracker interface) Personally, I'd be happy even if just the packages that create the iso were reproducible, the rest could be built by the user from source (and a local repository). Of course it is easy for me to say this, but I don't actively develop parabola. But if I get round to it, I will have a go. I would like to try the cross-compiling route at some point anyway. That's unless someone beats me to it. ;) Josh ___ Dev mailing list Dev@lists.parabola.nu https://lists.parabola.nu/mailman/listinfo/dev
Re: [Dev] Fwd: First Reproducible Builds Summit
First Reproducible Builds Summit I met a few people who were there, and they were quite happy about how it went. I'm eager to meet with Lunar and learn more about the current status of Debian reproducible builds. Any plan for Parabola? It's something I would like to see too. Ideally an operating system like parabola could be built from source and then verified, although that's a pretty big ask. I notice there is a nice script (dagpkg) for building packages. Perhaps it would be useful for not only automated builds, but reproducible ones too? I recently found a nice vendor-neutral website about reproducible builds [1]. It says about setting the build environment, including: specific operating system (if cross-compiling is not supported) and build system architecture (if cross-compiling is not supported) If it is possible to cross-compile the packages that make up the Parabola ISO, then the whole operating system could perhaps be built, then verified by a completely different system. This would help to give users migrating to Parabola more peace of mind over the security of the OS. I know Parabola is not (Cross) Linux From Scratch, but pacman can theoretically work on other operating systems, and to me it looks like the potential there for users to be able to compile the whole OS (and perhaps verify) on many other major platforms. Also, if users are able to build, in bulk, the Parabola packages like this, it would help those with limited or no internet connection(s) for people less well off, and could provide a robust way of allowing a quick restart development if (heaven forbid) the project were to cease. Josh [1] https://reproducible-builds.org/docs/ ___ Dev mailing list Dev@lists.parabola.nu https://lists.parabola.nu/mailman/listinfo/dev
Re: [Dev] Fwd: First Reproducible Builds Summit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/09/2015 12:37 PM, fauno wrote: > > fyi > > > > First Reproducible Builds Summit > I met a few people who were there, and they were quite happy about how it went. I'm eager to meet with Lunar and learn more about the current status of Debian reproducible builds. Any plan for Parabola? == hk -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJWaZJeXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQ0IyNkIyRTNDNzEyMTc2OUEzNEM4ODU0 ODA2QzM2M0ZDMTg5ODNEAAoJEEgGw2P8GJg9c7IP/0DVBcGtV6Bo9h69aOUdwxsA TJj8DkOQVPgtafjdteDHnKPcErNnKU4ZPPp/Szeql2IBHVOVorMVzKEDhviDkqJu MCAD9x0ZdhN130B+qECBISl94wXdDTduNQ6XPd4Qu3s/R7ltvF8nvUeiSVwjXHaC dtTiFWin5SUVKsGdVP6/d7JLt9udVVMaJmojnSEOXWeIJRHuPKxJqHaA0upj0kly 0elp5z+9/B2OaNxfcZvAEVyOB71LxyYbKuJgxn62Rfpc8lhtPjLSsIDVlQLlSp9C 3+w9R42AYwDvr/jxQsrd0AkiWO8mlKN2AGT/mCgNDF25p3cxADedvCz8wlWilTAH YYUYC8stK6EPN2roCob/1Zml+XVxktdWqRjy/DGZq6mLPF84ZE0NJRGiK3P9y1jc 3/HSVZ8hAAjrhKHmujFFJMdY/iAiFXVfjmtwyxJhFqPStHYqDKLHeoTdXP349MLo yx23Q9U71RMSnsJEDdX8NKzCtf2Kjt6i8F5ofiCAaR+eP+bDuu/8sjKS/gRX3+3I 1l5ezK+tHXtCQakQLKmenFmn1WIxaChTvNsYQWKLJv++nupc7/Li2ND9E+X79pUE zSjoSmKIP7AMOPhAliZ/jy1oait/nJmbQrFpsEx8X5Wl/uGf7HlhRxO5vSz/0sLN tIXb2l0pu3tAyBNAaa3e =Kpum -END PGP SIGNATURE- ___ Dev mailing list Dev@lists.parabola.nu https://lists.parabola.nu/mailman/listinfo/dev
Re: [Dev] Fwd: First Reproducible Builds Summit
Hi, Does that mean that parabola has some interest in reproducible builds? Is there some plans to tackle the problem? As I understand it, unlike other distributions that have a single point of failure, that is, their build infrastructure, we do have to trust: -> Every single package maintainer from parabola -> Every single package maintainer from arch as we use most of their stock packages -> The machine and the software involved in the creation of the packages, including arch developers who probably run non-free software on their developer's machines. Since parabola suits really really very well, and that I value freedom over security, I still do use Parabola. Adapting to Trisquel was too painful for me. > Start of forwarded message [...] > > First Reproducible Builds Summit > > > https://guardianproject.info/2015/12/09/first-reproducible-builds-summit/ > > I was just in Athens for the “[Reproducible Builds > Summit](https://reproducible-builds.org/events/athens2015/)“, an > [Aspiration](https://aspirationtech.org/)-run meeting focused on the > issues of getting all software builds to be reproducible. This means > that anyone starting with the same source code can build the *exact* > same binary, bit-for-bit. At first glance, it sounds like this > horrible, arcane detail, which it is really. But it provides tons on > real benefits that can save lots of time. And in terms of > programming, it can actually be quite fun, like doing a puzzle or > sudoku, since there is a very clear point where you have “won”. > > Here are some examples of real benefits: [...] Well, there are even more benefits, if we get that into parabola, you can then debug parabola. Right now we have no debug symbols. That would not be a problem anymore, as you would be able to generate them afterward. The user would just recompile the package with debug enabled to get such symbols. The sha512sum of this package binaries would still match. > Google, Was it because of chromeOS and chromebooks? I see a point in getting chromeOS boot firmware reproducible, that would make the point that you can have a secure and free software boot firmware. I'm not saying that their always is 100% free software. Usually they use coreboot with vendor blobs. [Arch Linux](https://www.archlinux.org/), What is its status? > [Coreboot](https://www.coreboot.org/), Here that's really interesting. It will also make it into next libreboot release. Let's imagine your laptop get modified during shipping and a modified coreboot/libreboot image is built and reflashed. Now with an external programmer you can detect that: Dumping the flash from the same laptop you want to verify may not give you the real content of the flash (the hardware makes it way to easy to give back a modified image). So Dumping the flash externally and building the same image makes it possible to check if there was any modification. > [Guix](https://www.gnu.org/software/guix/) package manager As I understand it's not as stable (bug free, usable) as Parabola yet. If Arch becomes reproducible, we definitely want to get reproducible too. That would permit us to check the arch packages, and to get debug symbols easily. Given that, in Parabola community, 100% free system are more commons, and that they can be verified as stated above, the benefit would be really great. Let's not have the dilemma of having to choose between: -> security and not-100% free distributions. -> Freedom and insecure distributions. Denis. pgpiAU73b_CgZ.pgp Description: OpenPGP digital signature ___ Dev mailing list Dev@lists.parabola.nu https://lists.parabola.nu/mailman/listinfo/dev