Stretching out for trustworthy reproducible builds creating bit by bit identical binaries
-
Not SyncedWelcome and good morning
-
Not SyncedThis is the reproducible builds team,
talking about -
Not Synced"Stretching out towards trustworthy
computing" -
Not Synced[Applause]
-
Not SyncedWe're 4 on stage, but actually this is a
team effort. -
Not SyncedAll these people listed here have
contributed to the project at one point. -
Not SyncedThe 4 of us, that's
-
Not SyncedLunar − me
-
Not Syncedthere's Dhole,
-
Not SyncedChris Lamb − lamby
-
Not Syncedand Holger.
-
Not SyncedBut actually, this is DebConf and so a lot
more of us have been or are -
Not Syncedcurrently here and so, if you want to
thank anybody that is working on this -
Not Syncedyou need to actually thank all of
these folks -
Not Synced'cause, yay.
-
Not Synced[Applause]
-
Not Synced[Holger] The people in blue are here.
-
Not Synced[Lunar] Let's get started.
-
Not SyncedQuick ??? on what we're talking
about. -
Not SyncedWe have software, it's made from source.
-
Not SyncedSource is readable by humans or at least
a good amount of humans. -
Not SyncedIn this room it's good.
-
Not SyncedBinary, readable by computer and some
tiny fraction of humanity. -
Not SyncedGoing from source to binary is called
build, or like building or compiling -
Not Syncedand we're doing free software and
free software is awesome because -
Not Syncedwe can actually run these binaries like
we want -
Not SyncedWe can actually study the software, how
it's been made by studying the source -
Not Syncedand by studying the source we can assess
that it does what it's supposed to do -
Not Syncedand not something else that does not
-
Not Syncedhave malware, or trojans or security bugs
-
Not SyncedSo we have the binary that can be used,
fine. -
Not SyncedWe have the source that can be verified.
-
Not SyncedProblem is that right now, the only way we
know that a binary that we get… -
Not SyncedWe have to trust a website or a Debian
repository that says -
Not Synced"Well, this binary has been made with this
source" -
Not SyncedBut there's no way we can actually prove
that. -
Not SyncedThis is actually a problem that has been
well explained by -
Not SyncedMike Perry and Seth Schoen at the 31c3
in Hamburg last december. -
Not SyncedFor example, Seth Schoen made a proof of
concept exploit for the Linux kernel -
Not Syncedthat when GCC was called, the kernel would
without modifying anything on the disk -
Not Syncedwhen the kernel detects that GCC is going
to read a C file, it will insert some -
Not Syncedextra lines of code, and these lines of
code can be a very bad thing -
Not Syncedin the case of 31c3 talk I was just
recalling. -
Not SyncedActually, you can even have developpers
who are in very good faith, who have -
Not Syncedtotally secure dev machines, or they
thought they have, -
Not Syncedwho have reviewed all their source code
for any bugs -
Not Syncedand we would still get totally owned as
soon as their computer gets compromised -
Not Syncedor one of the build demons from Debian
gets compromised for example. -
Not SyncedThis is not, like, hypothetical threats
here we're discussing -
Not SyncedA couple of months after Seth an Mike's
talk at 31c3, -
Not Syncedthe Intercept revealed from the Snowden
leaks -
Not Syncedthat at a CIA conference in 2012, one
of the talks that happened -
Not Syncedwas about a project called Strawhorse.
-
Not SyncedStrawhorse is about modifying Apple XCode,
which is the development environment -
Not Syncedfor MacOS 10 and iOS applications
-
Not Syncedand well, they were modifying XCode so
it would produce, -
Not Syncedwithout the developer knowing,
-
Not Syncedbinaries with trojans, malware,
??? binaries, lots of bad things. -
Not SyncedSo, solution:
-
Not Syncedenable anyone to reproduce identical
binary packages from a given source. -
Not SyncedBecause if using a source, using the same
environment, -
Not Syncedmultiple people on different computers, on
different networks, at different times, -
Not Syncedcan all get the same thing
from the same source -
Not Syncedall the same binary, byte for byte,
-
Not Syncedthen there's a good chance that…
-
Not SyncedWell, everybody could be owned,
but let's be more joyful and say that -
Not Syncedprobably, if everybody gets the same
result, there was actually no problem -
Not Syncedand everybody is safe.
-
Not SyncedWe call that solution
"reproducible builds" -
Not SyncedYay.
-
Not Synced[Applause]
-
Not SyncedActually, it's not only about security.
-
Not SyncedFor Debian, we have, if you're doing
"Multi-arch: same" packages, -
Not Syncedwell they only have the same bytes if
they are built for different architectures, -
Not Syncedthe files in the package.
-
Not SyncedDebug packages, you can create at a later
time, if you forgot to have debug packages -
Not Syncedin the first place,
-
Not Syncedyou can pass the no-strip option later and
because the package is reproducible, -
Not Syncedyou will get the debug symbols that work
for software that has been shipped already -
Not SyncedWe do early detection of FTBFS that way
-
Not Syncedbecause if we try pretty quickly
to reproduce a build, -
Not Syncedthen it has to work.
-
Not SyncedIt's useful for build profiles.
-
Not SyncedWe can get smaller .deb deltas,
-
Not Syncedbecause from one version to the next we
might have the same content. -
Not SyncedWe can do validation of cross-builds,
-
Not SyncedHelmut Grohne can talk to you about that.
-
Not SyncedAnd also, Niels Thykier told me that
-
Not Syncedhe was very interested in reproducible
builds because it would enable him to -
Not Syncedtest debhelper better, because
-
Not Syncedif the package builds reproducibly,
then he makes a change to debhelper -
Not Syncedhe can rebuild the package ???
-
Not Syncedthe same version of a package with a newer
debhelper and see what has changed -
Not Syncedand this change can be isolated to only
what he has worked on debhelper -
Not Syncedfor example.
-
Not SyncedAnd, oh my.
-
Not SyncedThe whole world is watching us.
-
Not SyncedSince two years or a year and a half ago,
everybody I meet in security conference, -
Not Syncedin hacker conference, in free software
conference is like -
Not Synced"Oh you're working on that,
that's awesome." -
Not SyncedAnd, I mean, I've been the one doing quite
a lot of talks, and everybody comes to me -
Not Syncedand I'm like "Wow wow, this is way bigger",
-
Not Syncedbut we're actually leading the field here.
-
Not SyncedYay Debian.
-
Not Synced[Applause]
-
Not SyncedSo, we are not the only ones leading the
field, -
Not SyncedBitcoin and Tor made their software
reproducible before us, -
Not SyncedCoreboot also succeeded, if you build
Coreboot without any payload, -
Not Syncedthat's 100% reproducible.
-
Not SyncedFreeBSD has a page on their wiki since
2013 -
Not Syncedsaying there are 5 reproducibility issues
in their base system. -
Not SyncedWe're at the moment trying to
confirm this. -
Not SyncedOn jenkins.debian.net, I've also set up
now tests for FreeBSD, NetBSD, -
Not SyncedCoreboot and OpenWrt.
-
Not SyncedSo if you go to
reproducible.debian.net/ -
Not Syncedyou get that tested.
-
Not SyncedAnd there's more in the pipeline.
-
Not SyncedThere are other projects interested
as well. -
Not SyncedNetBSD also has a variable ???
which you can set -
Not Syncedand that builds reproducibly.
-
Not SyncedThough they think "I'm keeping some
timestamps ??? and then -
Not Syncedfiltering them out later".
-
Not SyncedWe disagree.
-
Not SyncedSo this is how Debian looks like,
Debian Sid, -
Not Syncedbut this is a lie.
-
Not SyncedThis is not the truth.
-
Not SyncedThis is just our test setup.
-
Not SyncedSid is not like this.
-
Not SyncedFor Sid, it's all orange, there's zero
reprodicibility in Sid today. -
Not SyncedBut we'll talk now and in the following
round table, -
Not Syncedit's to actually make Sid reproducible.
-
Not SyncedThe current status is
-
Not Syncedwe're working on this in Debian since
two years ago. -
Not SyncedWe have weekly reports about our project
now since May -
Not Syncedand we've given several talks, especially
in the last year -
Not Syncedand all these talks, presentation, also
other stuff is linked in the wiki. -
Not SyncedThere's a page with information about
Debian, these BSDs, -
Not Syncedother Linuxes, upstream ???
all on this wiki. -
Not SyncedSince DebConf14, which is merely
a year ago, -
Not Syncedwe've made quite some changes.
-
Not SyncedWe have introduced
strip-nondeterminism -
Not Syncedwhich is called by dh at the end
of the build of the package -
Not Syncedand will normalize some things
which Chris will explain later -
Not SyncedWe have decided on a fixed build path
-
Not Syncedbecause the build path is linked
in the binaries and several things -
Not SyncedWe didn't find a way yet to make
the build path arbitrary. -
Not SyncedWe designed a way to record the build
environment -
Not Syncedbecause to rebuild, you need to recreate
the build environment. -
Not SyncedWe set up this Jenkins setup.
-
Not SyncedWe wrote diffoscope which used to be
called debbindiff -
Not Syncedwhich shows differences between two
packages or two directories or -
Not Syncedtwo filesystems by now.
-
Not SyncedThere's SOURCEDATEEPOCH, which is a way
that the tools expose -
Not Syncedthe last modification of the source.
-
Not SyncedBecause the build date, people want to
include the build date -
Not Syncedbecause they think this is a meaningful
indication: -
Not Syncedwhen a build was done,
which software used.
Show all