Please keep in mind that history is written by the winners. Let's just hope for not too much betrayal.
- Tell the tale
- Archive wide rebuilds
Tell the tale
An history of reproducible builds in Debian, mostly written by Lunar.
An old idea
The idea of reproducible builds is not very new. In Debian world, it was mentioned first in 2000, and then more explicitly in 2007 on debian-devel: “I think it would be really cool if the Debian policy required that packages could be rebuild bit-identical from source.” The reactions were unfortunately not really enthusiastic both times.
Private property + Snowden effect
The interest on reproducible builds picked up again with Bitcoin. Users of bitcoins needed a way to trust that they were not downloading corrupted software. Initial versions of Gitian were written in 2011 to solve the problem. It drives builds using virtual machines and Git.
The global surveillance disclosures in 2013 raised the interest even further. Mike Perry worked on making the Tor Browser build reproducibly in fear of a “malware that attacks the software development and build processes themselves to distribute copies of itself to tens or even hundreds of millions of machines in a single, officially signed, instantaneous update”.
The success of making such a large piece of software build reproducibly proved that it was feasible for other projects. This prompted Lunar to organize a discussion at DebConf13 happening July 2013. Even scheduled at the last minute, there was still about thirty attendees who were very much interested, amongst them members of the technical committee and a few other core teams. Minutes are available.
After some more research during the conference, a wiki page was created. The initial approach was to get Debian to “buy-in” on the idea by making five packages from different maintainers build reproducibly. However, it quickly appeared that before fixing issues in the toolchain, it would not be possible to even get a single package to be reproducible.
Lunar came up with the first patches for dpkg at the August 2013. This enabled hello to build reproducibly. The first large scale rebuild was performed soon after by David Suárez, with variations on time and build path. 24% of 5240 source packages were identified as reproducible. The first version of a “smart” comparison script was written to help reviewing differences.
A second mass rebuild was made before the presentation in the distro devroom at FOSDEM’14. It used a slightly different approach regarding build paths and had binutils built in deterministic mode. 67% of 6887 source packages were found reproducible. A result applauded by the FOSDEM crowd.
The presentation sparked interest and woke up the mailing-list created some months ago. Tomasz Buchert wrote a lintian check for gzip files. Stéphane Glondu worked on sorting logs and experimenting with alternatives for build path issues.
.buildinfo control files
In parallel, several approaches on where and how to record the build environment were considered. The first idea was to use the .changes control file through a substitution variable (719854). Instead, Guillem Jover suggested to add new fields by passing --changes-option="-DBuild-Env=… to dpkg-buildpackage. As for the value, we discovered dh-buildinfo written by Yann Dirson, described as a “debhelper addon to track package versions used to build a package”. Fit for reproducible builds!
What happened for a year was presented at DebConf14. The reception was unexpectedly good and the follow-up BoF truly productive. For one thing, a suitable way to record the build environment was sketched out.
One issue about using .changes files is that they are not kept in the archive. So to be used as a way to record the environment, they would need to be distributed with the archive. But this would be a misunderstanding of their purpose. As their name implies, .changes control files represent changes to archive. They were inherently designed to be transient.
So instead, we had the idea of a new .buildinfo control file which would be added to the archive alongside binary packges — and be uploaded by referencing them in .changes. We quickly drafted a specification, and a couple of days later Niko Tyni came up with an addition to debhelper which created a .buildinfo using the output of the aforementioned dh-buildinfo.
Before ?DebConf14, an explicit timestamp was given during rebuilds, extracted from the .changes file. However, during the discussions, there was a consensus that the date of the latest entry in the debian/changelog file could be used as the reference timestamp when needed.
This helped another idea: a generic tool that would post-process different file formats to remove timestamps or other source of non-determinism. Andrew Ayer further took the task of creating strip-nondeterminism. The first released version handled files created by gzip, Zip, Jar, Javadoc, and .a files.
Giving up on build paths
Initially we though that variations happening when building the package from different build path should be eliminated. This has proven difficult. The main problem that has been identified is that full path to source files are written in debug symbols of ELF files.
First attempt used the -fdebug-prefix-map option which allows to map the current directory to a canonical one in what gets recorded. But compiler options get written to debug file as well. So it has to be doubled with -gno-record-gcc-switches to be used for reproducibility. The first large scale rebuild has proven that it was also hard to determine what the actual build path has been accurately.
Second attempt used debugedit which is used by Fedora and other to change the source paths to a canonical location after the build. Unfortunately, gcc write debug strings in a hashtable. debugedit will not reorder the table after patching the strings, so the result is still unreproducible. Adding this feature to debugedit looked difficult. We can still make the approach work by passing -fno-merge-debug-strings but this is space expensive. The second large scale rebuild used the latter approach. It was still difficult to guess the initial build path properly. Stéphane Glondu was the first to suggest to using a canonical build path to solve the issue.
During discussions at DebConf14, we revisited the idea, and felt it was indeed appropriate to decide on a canonical build path. It has an added benefit of making it easier to use debug packages: one simply has to unpack the source in the right place, no extra configuration required.
Finally, it was agreed to add a Build-Path field to .buildinfo as it made it easier to reproduce the initial build if the canonical build location would change.
Improved comparison tool
After strip-nondeterminism initial upload and integrating some more changes discussed during ?DebConf14 in dpkg and debhelper, Lunar experimented with 172 core packages. 30% were reproduced without further modifications.
At the end of September 2014, Holger Levsen started to work on extending jenkins.debian.net to perform continuous integration for build reproducibility. Packages from sid started to be built and rebuild. This initially introduced variations for time and file ordering, and was extended later on to also use different users, groups, hostnames, and locales.
The results were visible through a new reproducible.debian.net website. The process of analyzing reproducibility failures could now be more easily shared. New contributors indeed showed up and started submitting sorting out common issues and providing patches.
The turn of 2015 saw the replacement of the prototype .buildinfo generator by a new implementation suitable for proper inclusion in dpkg. Previously, only packages using dh could generate .buildinfo and could thus be considered reproducible. After updating the experimental toolchain, the change allowed to reach the mark of 80% source packages reproducible.
FOSDEM 2015 and aftermath
The presentation Stretching out for trustworthy reproducible builds was well received at FOSDEM 2015 and was followed up by
Debian Developer's Packages Overview (DDPO) inclusion
- debbindiff gained .rpm support
Debian Maintainer Dashbord inclusion
Finally, for now, not even two weeks after FOSDEM 2015 a mail with the subject "Reproducible Builds — proof of concept successful for 83% of all sources in main" was send to firstname.lastname@example.org officially anouncing the project to the Debian developer community at large.
Do you want to make the rest of the story? ?Join us!
Archive wide rebuilds
2013-09-07 by David Suárez. 24% of 5240 source packages reproducible. Variations: time, build path.
2014-01-26 by David Suárez. 67% of 6887 source packages reproducible. Variations: time, build path.
2014-09-19 by Lunar, 30% of 172 source core packages reproducible. Variations: time, file order.
Updated daily since 2014-09-28 by jenkins.debian.net. On 2014-11-11, 13213 (61.4%) out of 21448 packages are reproducible.
Include: Nothing found for "^= Presentations ="!
Got a spare moment? Please migrate this to our new webpages…
With free software, anyone can inspect the source code for malicious flaws. But Debian provide binary packages to its users. The idea of “deterministic” or “reproducible” builds is to empower anyone to verify that no flaws have been introduced during the build process by reproducing byte-for-byte identical binary packages from a given source.
More information about reproducible builds in general are available at reproducible-builds.org.
This section lists URLs, people, and dates for when other people have publicly expressed interest, or shared information about, the project.
Mike Perry, 2013-08-20: Deterministic Builds Part One: Cyberwar and Global Compromise
Jake Edge, 2013-08-21: Security software verifiability
Holger Levsen, 2014-09-26: Reproducible builds? I never did any - manually
Lunar, 2014-12-29: Reproducible builds against RC bugs
Lunar, 2015-01-15: 80%
Kristian Kißling, 2015-01-27: Debian bringt Reproducible Builds voran in linux-magazin.de (Note: the article contains several misunderstandings.)
Hans-Joachim Baader, 2015-02-16: Reproduzierbare Builds in Debian nähern sich in pro-linux.de (German)
2015-02-16: Debian Project Reaches 83% Reproducible Builds for Source Packages in softpedia.com.
Tannhausser, 2015-02-17: Debian mejora su seguridad con los reproducible builds in La Mirada del Replicante (Spanish)
Darren Pauli, 2015-02-23: Debian on track to prove binaries' origins in The Register
2015-02-24: Debian está trabajando en compilaciones reproducibles in Detrás del pingüino (Spanish)
2015-02-27: Debian security initiative for reproducible builds reaches milestone in ?TechRepublic by James Sanders
2015-05-06: http://www.linux-magazin.de/Ausgaben/2015/06/Reproducible-Builds in Linux-Magazin 06/2015 by Daniel Stender (in German)
2015-05-10: Reproducible builds on Debian for GSoC 2015 by dhole
2015-09-06: How Debian Is Trying to Shut Down the CIA and Make Software Trustworthy Again, J.M. Porup, Motherboard
2015-09-10: How Debian and other open-source projects are making software more trustworthy, Chris Hoffman, PCWorld.
2016-01-21: Hello tests.reproducible-builds.org by h01ger
2016-03-31: Reproducible Signal builds for Android (though it's not bit by bit identical and needs an apkdiff tool to claim it's reproducibility)
- akira (Maria Valentina Marin)
- Andrew Ayer
- Asheesh Laroia
- Chris Lamb
- Chris West
- Christoph Berg
- Daniel Kahn Gillmor
- David Suarez
- Drew Fisher
- Guillem Jover
- Hans-Christoph Steiner
- Helmut Grohne
- Holger Levsen
- josch (Johannes Schauer)
- Lunar (Jérémy Bobbio)
- Mattia Rizzolo
- Niels Thykier
- Niko Tyni
- Paul Wise
- Peter De Wachter
- Reiner Herrmann
- Stefano Rivera
- Stéphane Glondu
- Steven Chamberlain
- Tom Fitzhenry
- Tomasz Buchert
- Ximin Luo