Debian has reproducible builds. What about PureOS?

pureismfan 2018-01-05 17:37:08 UTC #1

Debian’s killer feature is reproducible builds!

https://wiki.debian.org/ReproducibleBuilds

Does PureOS have similar efforts going on? How can we as users verify that the PureOS binaries on our Purism laptops come from the source code they’re supposed to be coming from?

Without this feature, “open source” doesn’t really mean much for most users IMO. Might as well use closed-source software. Correct me if I’m wrong.

pureismfan 2018-01-12 13:56:46 UTC #2

No reply?

I’m a bit disappointed.

I’ll repeat: “open source” without reproducibility might as well be closed source for all practical purposes for most users. You’re still back to trusting the guy who compiled the software.

taylor-williamc 2018-01-12 15:04:50 UTC #3

The Purism crew generally has a lot on their plate, and though they are often on the forums, they really can’t reply to everything. If you keep this thread bumped, they might see it and respond (or maybe some other community member who knows more can).

e3amn2l 2018-01-14 01:28:54 UTC #4

you’re wrong…
There is a huge different between open source and closed source software even if the open-source software is not reproducible build yet, using/trusting binaries that compiled by someone else isn’t magically solved (reduce the trust needed) if the binary is reproducible build, it require more then that (at least a infra that enable you to validate the build against other builders to combat targeted attacks, something Debian also work on as you can see at https://buildinfo.debian.net/)

in open-source software you can manually verify that the build wasn’t compromised by looking at the difference between the supplied build and the build you done yourself (sometimes it’s easy, sometimes it’s hard) the point of reproducible builds is that the verification done automatically, so any mismatch is either a new-bug (need to be fixed) or malicious backdoor.

Regarding PureOS I guess the following will happen:

They ensure the ISO generated is reproducible, as already done in Tails
https://tails.boum.org/news/reproducible_Tails/index.en.html
PureOS build upon Debian as many other distros (Ubuntu/Tails/Kali…) and all of them will benefit from Debian work when it will achieve 100% reproducible builds on all packages, then PureOs fix any reproducible bugs they introduce through changes.

ruff 2018-01-14 09:07:13 UTC #5

Trusting to non-reproducible build is same as trusting closed-source - you’re trusting the entity, not the code.
Non-reproducible = non-verifiable. It has nothing to do with openness of the code.
You never know whether entity has put a tiny backdoor in the code (by reversing single boolean operation - flipping a bit) which is no different from being completely closed. So trust model is identical. Open-source just creates false perception of the higher trust.

maxzor 2018-01-14 18:48:45 UTC #6

Discourse does not let one downvote… that kind of extremist comparison is ugly.
What prevents a reproducible build to have a tiny backdoor then.
On one hand you have proprietary hardware circuits that you will not have plans for too soon ; on the other hand you execute shared javascript all around the web. The goal is praiseworthy, how you push for it depends

ruff 2018-01-14 19:18:53 UTC #7

Bit-flip will be detected by checksum/signature mismatch. Reproduced package matches bit-by-bit.
Of course you may argue - if you are not sure just build yourself. Yes, this is Gentoo. However here it’s not about paranoia, just absence of mechanism to verify.
If you reproduced the package - you can then verify sources to figure whether it has backdors. With non-reproducible build you have no such means. Just blind trust. Or rebuild the world. But then - why to use this distro?

Not with root privileges.

maxzor 2018-01-14 21:38:05 UTC #8

Right, that is a nice feature, but that does not remove the trust-the-entity(repo) model.

jeff 2018-01-15 20:35:07 UTC #9

@pureismfan, you need to be bit patient when asking questions. Not everybody crawls these forums besides Mladen and me (occasionally), and the PureOS team in particular typically spends the vast majority of their time in tracker.pureos.net, not the forums…

Anyway, this is a topic for @zlatan-todoric

matthias.klumpp 2018-01-24 21:41:25 UTC #10

At the moment, there is no strong need for reproducible PureOS builds, because most packages are synced from Debian directly and are not rebuilt for PureOS. So, you can easily verify the binaries with the data generated by Debian’s reproducible builds project.
We will switch to full rebuilds eventually though, and when that happened, a reproducible builds project makes sense and it is likely that we will add this service to PureOS then (but even then we can not give an ETA for that, because such an effort demands both infrastructure as well as manpower, and that has to be sorted out first).

So, tl;dr: At the moment, reproducible builds aren’t super-relevant (only for PureOS specific packages), but in future there is a high chance we’ll have them. It’s on our long-term roadmap.