Project

General

Profile

Feature #14455

Reproducible Builds Stage 2

Added by segfault about 2 months ago. Updated about 2 months ago.

Status:
Confirmed
Priority:
Normal
Assignee:
Category:
Build system
Target version:
Start date:
08/26/2017
Due date:
% Done:

0%

QA Check:
Feature Branch:
Type of work:
Research
Blueprint:
Easy:
Affected tool:

Description

There has been a lot of progress to achieve reproducible builds of the Tails ISO image (#5630). But to effectively protect against infrastructure or developer compromise, it should also be possible to verify that the packages downloaded from our repositories are not modified. This effects two repositories:

1. The custom APT repository we host to provide our custom Debian packages.
2. The snapshots of the Debian repositories we host to fetch Debian packages during build.

(We host a third repository , but it effects only development builds, so it is not relevant for releases, which is what we care about in this effort.)

Those packages could be maliciously modified by Administrators / compromised infrastructure, and there is currently no process to verify that these packages are not modified.

We want to solve this issue in the "second stage" of our effort to provide reproducible builds.

One question shall be answered first though: assuming we solve the issues described above, what are the remaining ones? IOW, will this substantially raise the bar for an adversary?


Related issues

Related to Tails - Feature #6220: Automated Debian package build infrastructure Confirmed 08/07/2013

History

#1 Updated by BitingBird about 2 months ago

  • Assignee set to intrigeri
  • Target version changed from 2018 to 2019

team: segfault, lamby, intrigeri (tech team lead, consultant, management)

#2 Updated by intrigeri about 2 months ago

  • Description updated (diff)
  • Assignee changed from intrigeri to segfault

#3 Updated by lamby about 2 months ago

Hey segfault!

Have we met? :) If not, hope to do so soon...

One question shall be answered first though: assuming we solve the issues described above, what are the remaining ones? IOW, will this substantially raise the bar for an adversary?

Could you elaborate more on what you mean by "second stage"? I mean, things like ensuring the source code was not modified is obviously important (!) but not under the heading of "reproducible builds" (which deliberately assumes that the source is Totally Safe).

Perhaps this is stuff around distributing the SHA?

#4 Updated by segfault about 2 months ago

Hey lamby! I don't think we met yet, but I'm looking forward to it :)

Could you elaborate more on what you mean by "second stage"? I mean, things like ensuring the source code was not modified is obviously important (!) but not under the heading of "reproducible builds" (which deliberately assumes that the source is Totally Safe).

These issues were raised by intrigeri, and I only tried to summarize them, but if I understand correctly, the problem we want to tackle here is not that the source code might be manipulated, but that there is no way to verify that the packages downloaded from our repositories during the build process are:
  • reproducibly built (in case of the custom APT repository with our own packages),
    or
  • are identical to the packages distributed by Debian (in case of our snapshots of the Debian repositories).

Also note that I have little knowledge of Debian packages and APT internals (which is one of the reasons we want you on board for this, I think).

#5 Updated by lamby about 2 months ago

no way to verify that the packages downloaded from our repositories during the build process are reproducibly built

That's true. This is currently not really possible in Debian alas, although do see:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872514

are identical to the packages distributed by Debian

AIUI that should be possible right now, or at least all the "parts" are there?

#6 Updated by intrigeri 18 days ago

  • Related to Feature #6220: Automated Debian package build infrastructure added

Also available in: Atom PDF