[tbb-bugs] #28102 [Applications/Tor Browser]: Make sure we pick the exact same compile environment for Tor Browser builds

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Feb 27 11:26:41 UTC 2019 

#28102: Make sure we pick the exact same compile environment for Tor Browser builds
-------------------------------------------+--------------------------
 Reporter:  gk                             |          Owner:  tbb-team
     Type:  defect                         |         Status:  new
 Priority:  High                           |      Milestone:
Component:  Applications/Tor Browser       |        Version:
 Severity:  Normal                         |     Resolution:
 Keywords:  tbb-rbm, TorBrowserTeam201811  |  Actual Points:
Parent ID:                                 |         Points:
 Reviewer:                                 |        Sponsor:
-------------------------------------------+--------------------------

Comment (by boklm):

 Replying to [comment:1 boklm]:
 > I can think about the following ways to fix that:
 > - specify exactly the versions of the packages we need, when we know
 that this package can cause reproducibility issues. For example we could
 make the firefox build on macOS require `gcc-49=4.9.2-10+deb8u1`. The
 problem is that any package update could cause such issue, and it can take
 time until we notice it. With complex package such as gcc, with many
 dependencies, the list of packages for which we need to specify the
 version might be long.
 > - add a container image version number. We can then increase this number
 when we need to invalidate old containers after we found that an update is
 causing a reproducibility issue. Like the first option, this means that we
 only fix the issues after finding them, and the previous releases can
 become unreproducible.
 > - use snapshots.debian.org to only install package updates that were
 available on a specific date. I think the main problem would be that
 changing the selected date would cause everything to be rebuilt, but that
 might be ok if we don't do it too often.

 An other way to fix this could be to not use the system's gcc to build
 firefox, but our own build of gcc. We are already doing that for the
 Windows build, and could maybe share the gcc build as both are based on
 jessie.

 However this would not help if other package updates cause the same kind
 of issues.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28102#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list