[prev in list] [next in list] [prev in thread] [next in thread] 

List:       secure-desktops
Subject:    [Secure Desktops] [qubes-devel] Re: Deterministic builds for Qubes OS -- the shortcut?
From:       hw42 () ipsumj ! de (HW42)
Date:       2015-12-23 0:19:00
Message-ID: 5679E874.6060001 () ipsumj ! de
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Patrick Schleizer:
> Hi!
> 
> Debian is working on deterministic built packages. To my knowledge, they
> are not yet working on deterministic iso and/or raw images.

They focus currently on packages. But its on their TODO list AFAIK.

> To have a package build deterministically is one thing. To have it not
> generate any entropy while installing it [within the raw image], is
> another story.
> 
> Some non-determinsitic examples include:
> 
> - /etc/xml/catalog
> 
> - /var/cache/man
> 
> - /var/cache/fontconfig
> 
> - More examples can be extracted from here:
> 
> https://github.com/Whonix/whonix-initializer/blob/8b150409c464427c89aa9d4e261b80f5fc2fa5d1/usr/lib/anon-dist/chroot-scripts-post.d/80_cleanup
>  
> - Other small things that add up such as MBR random disk signatures and
> disk uuid.
> 
> - File creation and access times.
> 
> - Location / ordering within the image.
> 
> So I am afraid, even when the Debian repository is 100% reproducible, it
> will take longer until also iso and/or raw images can be build reproducible.

Reproducible packages and reproducible installs/images are two different
problems (with the same motivation). I.e. you can work on reproducible
installs without reproducible packages.

I think reproducible images are a manageable complex problem. I made
some test and came to a similar list as you. Most of the stuff is easily
fixed (at least as long as you don't need to do it upstream).

Qubes has the advantage that, since we are dealing with VM images, we
can move much of the cache generating stuff to the first boot (that's
not a nice option for live distributions).

But yes that's work and needs to be done ;]
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWeehzAAoJEOSsySeKZGgWqUIP/icUTAn2Xu699zkqO0Y+CiKG
jZQnsA6JFVOsxrKppyjFivGAoTFvwzGflz1vPSvDXv8HmGABE61g0Q96uVLupkq4
3vnYZoq+vDtqTaCmN+vZpsF2lf/cMveFnafBHVY2QvGWCrFlG/nwFpiQtlQ4zxZJ
cLF7C9py36bjmNJ/PpZ6nsbZPt96AMk4nXtx/ioEqgmKD9P94zvOb/NwvD+j16Ad
50+3Hb4xybRe/Z7dVh+vW8GYU1ecw4VXL/mnjEPNJcHL6gA1C2fMKFiEtCH4SQ02
d0+hMP1dLRxtMk330JyRPKBZio4BjlBq8545KDeuAazNf+9dESM32tRwYmB/r9Qa
9rX1+Aa+zkyWbXx4KNo9WT4C8ue0biX0f4FwaVlsqF1buC8A7i21aKGappabZ6y3
PyqiCOErS/i8RnPapOB4Ff0CJyFhkT8rpXLxCzXjxZ2vDCz+I7oMaQHU+ouMvO1y
9SBaa55RjvbVeIR+05Rkz9wWWAf99vc7CSuxIeGlin0ePfny8t5n1bd+DpzDkxRV
hpZYvPifBoTbEOGNT14Jqdzfw9CqqooCebLXwM7eoIL5yDKVYY3OvmeJoySJfluI
3DZfc+SU/8ve4n830NsRRVNGdi6MhvY7/OwOmF4WmIEVlskYvtSMcF5+ZHpcBERS
UV1SIz7MunHN7NC6LbQj
=/tyj
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]