[tbb-bugs] #21032 [Applications/Tor Browser]: Creating some public database of "reproduced builds"

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Dec 19 14:44:54 UTC 2016


#21032: Creating some public database of "reproduced builds"
------------------------------------------+----------------------
     Reporter:  boklm                     |      Owner:  tbb-team
         Type:  task                      |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 The process of checking that our builds have been reproduced by multiple
 people is currently mostly manual. In order to make this process easier,
 more automated (to be able to use it in the updater or some launcher) and
 possible to use at a larger scale (checking that some large number of
 people reproduced a build), we could have some tool indexing the builds
 created by various people.

 This could be done by adding the generation of some `buildinfo` files
 (similar to the Debian's buildinfo files) to our build process, containing
 important informations about the build, such as its inputs and outputs,
 and indexing them with their signatures in some database.

 This database would contain the following types of builds or operations,
 signed by various builders:
 - the build of a bundle from a git tag
 - the creation of a signed mar file, from an unsigned mar (or the reverse
 operation)
 - the creation of an OSX code-signed mar file, from an unsigned mar (or
 the reverse operation)
 - the creation of an incremental mar file, from two full mar files

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21032>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list