[tor-talk] Deterministic builds?

Jacob Appelbaum jacob at appelbaum.net
Thu Jan 5 13:58:16 UTC 2012


On 01/05/2012 02:30 PM, Greg Troxel wrote:
> 
>   We believe that Windows and Mac OS X both produce build results that are
>   extremely difficult to verify. On Gnu/Linux sometimes the build results
>   are difficult to verify.
> 
> I am not crystal clear on all the details, but NetBSD has recently
> undergone a perhaps-similar effort, with the goal being that one should
> be able to start with identical sources and get bit-identical binary
> releases.

Sounds good.

> 
> Key elements include:
> 
>   Using a toolchain that is part of the source tree.
> 
>   Modifying the toolchain to not embed timestamps.
> 
>   Cleaning up everyplace else that allowed variation.
> 
> But, that was a regression-test mentality effort, and I think you are
> talking about a security effort, to detect subversion of platforms used
> for the build.  Still, if everyone can checkout a given tag, and produce
> the same bits, and compare hashes, a lot of benefit is gained - is that
> your goal?
> 

Yes. That is exactly the goal.

All the best,
Jacob


More information about the tor-talk mailing list