Tuesday, April 30, 2024
Homepage · compiling
 Popular · Latest · Hot · Upcoming
2
rated 0 times [  2] [ 0]  / answers: 1 / hits: 661  / 2 Years ago, wed, december 1, 2021, 12:33:16

Are Ubuntu builds deterministic? I assumed they are, that is, if I recreate the process of building Ubuntu installation media, I will get the same image, (bit-for-bit, with the same checksums) as the one on the Ubuntu mirrors.



Recent post by Joanna Rutkowska (lead developer of Qubes OS distro) suggests that it isn't so:




currently most projects, including all Linux distributions, do not build deterministically




Why not?


More From » compiling
 Answers
6

No they're not. Let's clarify a distinction here,




  • Does the system support "reproducible builds"?



    Yes all systems support packages that are deterministic.


  • Does the system enforce "reproducible builds"?



    Nope, though it does help diagnose problems, and works is being done to make packages reproducible -- bugs are being reported and handled anyway.


  • Is everything, without exception, reproducible?



    Not even close.




Now let's define "reproducible builds"




A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.



The relevant attributes of the build environment, the build instructions and the source code as well as the expected reproducible artifacts are defined by the authors or distributors. The artifacts of a build are the parts of the build results that are the desired primary output.




Now let's talk about what is required



Check out this page under "How" which lays down three criteria




  1. the build system needs to be made entirely deterministic: transforming a given source must always create the same result. Typically, the current date and time must not be recorded and output always has to be written in the same order.


  2. the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined.


  3. users should be given a way to recreate a close enough build 3., perform the build process, and verify that the output matches the original build.




You can find more documentation about all of that here.



As to why Ubuntu isn't currently reproducible, things like Perl currently fail because -V stores the compiler args for convenience -- they're waiting on GCC to patch this upstream. A lot of this functionality could simply nuked. Some other problems: some man pages and programs have the build dates compiled in, others compile in mutable paths to shared libraries and the like.



Not being reproducible isn't a problem or a vulnerability. It just makes it harder to verify that you haven't been tampered with, and currently that functionality is being viewed as more valuable.



You can follow Debian's progress towards determinism here


[#20228] Thursday, December 2, 2021, 2 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
berlorful
Add To Favorites
Follow
Total Points: 346
Total Questions: 90
Total Answers: 99
Location: Monaco
Member since Tue, Nov 30, 2021
2 Years ago
berlorful questions
Thu, Sep 2, 21, 10:12, 3 Years ago
Sun, May 9, 21, 20:55, 3 Years ago
Mon, Jan 16, 23, 23:19, 1 Year ago
Thu, Mar 2, 23, 10:22, 1 Year ago
Mon, Aug 29, 22, 05:43, 2 Years ago
View All
;