[tbb-dev] Reproducible Builds Summit
Matthew Finkel
matthew.finkel at gmail.com
Mon Dec 17 18:49:36 UTC 2018
On Mon, Dec 17, 2018 at 06:25:48PM +0100, Nicolas Vigier wrote:
> Hello,
>
> I was at the reproducible builds summit last week. During the meeting
> there were discussions about various topics related to reproducible
> builds:
> - reproducible builds for various languages, filesystems and distributions
> - bootstrapping
> - rebuilders and user verification
> - software transparency
>
> I think the two most interesting discussions for me were about rebuilders
> and user verification, and software transparency.
Interesting, thanks!
>
> = Software Distribution Transparency and Auditability =
>
> Benjamin Hof is working on tools for Software Distribution Transparency
> and Auditability:
> https://arxiv.org/abs/1711.07278
> https://debconf18.debconf.org/talks/104-software-transparency-package-security-beyond-signatures-and-reproducible-builds/
>
> He has implemented some prototypes to improve software distribution
> transparency in Debian, using a public log server which can be used to
> monitor the packages which have been distributed to users. I discussed
> with him how something similar could be done in Tor Browser.
>
> Here is how it could work:
> - we add a log server which can be used to cryptographically prove:
> * inclusion of an update in the log
> * append-only operation of the log
> - when we release a new Tor Browser version, we add checksums of the
> new mar files to the log.
> - when the Tor Browser updater receives a new update, it checks if the
> update is in the log, before applying it. If the update is not in the
> log, then the update is not applied.
> - independant monitors analyse the logs. They check that all checksums
> published in the log correspond to a known release. They can also check
> that the build corresponding to those checksums is reproducible. The
> log is public, so anybody can monitor it.
>
> The main improvement from this system is that it allows anyone to check
> that all the updates used by all users are reproductible builds, while
> today you can only verify that for one downloaded copy of the software.
This seems like it has the same goal as Mozilla's Binary Transparency
log: https://wiki.mozilla.org/Security/Binary_Transparency
I'm not sure if Mozilla are actively working on this, but based on the
two bug on that page, it seems like it isn't a priority right now:
https://bugzilla.mozilla.org/show_bug.cgi?id=1341397
https://bugzilla.mozilla.org/show_bug.cgi?id=1341398
More information about the tbb-dev
mailing list