Create Task
Maniphest T5615

reproducible builds
Open, LowPublic
Actions

Description

https://reproducible-builds.org/
https://wiki.debian.org/ReproducibleBuilds

neon should do and enable reproducible builds and testing thereof.

Reproducible builds seek to be able to create bit-by-bit identical binaries across multiple rebuilds of the same source, even in varying environments.
This is a uniquely important aspect of system security and trustability. Linux has no means to sign software (binaries, libraries) which has the advantage of being very tinker friendly and the disadvantage of making it super easy for someone with suitably elevated access rights to plant a back door or hijack the same. This is however also a matter of trust and accountability that open sourced tarball X + open sourced packaging Y really generate binary Z. And that neither we nor a compromised build slave poison the binary behind the scenes.

neon should implement reproducible builds.

  • Needs reading up on how debian does sit
  • Figure out what needs changing in our tooling to facilitate this
  • Create additional subtasks as necessary to implement changes against tooling
  • Probably also needs a storage solution worked out as buildinfo metadata needs to be stored somewhere for a longer time than we store the builds themselves.
sitter created this task.Mar 14 2017, 10:43 AM
scarlettclark added a subscriber: scarlettclark.May 31 2017, 2:13 PM

I actually did this for debian for my outreachy internship, and would like to look into this for neon. But will likely need help with our tooling bits.

sitter moved this task from Discussing to Backlog on the Neon board.Aug 12 2019, 1:03 AM