'[qubes-devel] Re: [Secure Desktops] Deterministic builds for Qubes OS -- the shortcut?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-devel
Subject:    [qubes-devel] Re: [Secure Desktops] Deterministic builds for Qubes OS -- the shortcut?
From:       "Manuel Amador (Rudd-O)" <rudd-o () rudd-o ! com>
Date:       2015-12-24 21:19:26
Message-ID: 567C615E.50102 () rudd-o ! com
[Download RAW message or body]

On 12/22/2015 03:26 PM, Joanna Rutkowska wrote:
> Hi,
> 
> I've recently had a chance to discuss with Marek and Wojtek, who
> recently took
> part in the Reproducible Builds Summit in Athens [1], the current
> state of the
> these efforts. TL;DR, the ETA for having Debian build
> deterministically is ~1.5
> year, which I take to mean it won't happen before 2018. Then, at least
> 0.5 year
> to get Qubes (i.e. the ISO) to build deterministically, which means we
> won't
> have it before the end of 2018, optimistically counting ;)

Frankly, you will have substantially better luck just moving Dom0 to NixOS.

Port your Dom0 build scripts to Nix expressions.  Run them within NixOS
by simply realizing the expressions.

Then you should have a solid start towards reproducibility and
determinism, as they have done 95% of the work that would be necessary
to solve the issue.

A further benefit is that pinning the TCB to a specific set of packages
is much easier with NixOS, and so is moving the TCB forward to the next
release of NixOS while keeping your Nix expressions the same.

An even further benefit is that the installed image might or might not
contain everything necessary to build an entirely new Dom0 100%
deterministically -- that's an architectural decision -- but /that
doesn't mean all such software would mapped into the user-space that the
operator has access to./

The final benefit is that anyone will be able to build their own Qubes
updates very easily, as well as recheck that the "packages" they have
downloaded build exactly the same locally, with no special build server
setup work on the part of the user.

Of course, one thing that would be necessary to do, is a small shim that
would delegate builds to a domU running Nix Hydra, which (when done)
would serve the realized derivation (the "package") back to the caller. 
This way builds do not actually happen in Dom0.


-- 
    Rudd-O
    http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/567C615E.50102%40rudd-o.com. For more \
options, visit https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic