[SOLVED] Reproducible builds. Chroot environment, date and config.
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Reproducible builds. Chroot environment, date and config.
Hi all,
Omg, i post this on the worng forum. Virtualization, sorry. Hope that are the right.
Looking for reproducible builds in the Slackware Sub-Forum I only found 3 threads.
One in 2015 other in 2016 and on 2021. But nothing relevant for mi question.
Maybe I'm little daring. Maybe I have to much free time. Maybe I hope Slackware can do it.
I am now playing with chroot to try made an environment for reproducible builds. From my understand to do a reproducible build there are 2 requirements, same date "SOURCE_DATE_EPOCH" and same environment.
I am not an expert on C, compiler, environments, ... So sorry if I'm very wrong.
From now i am trying to change the date on chroot to fix the SOURCE_DATE_EPOCH. I looking deeper to change the system date.
I installed desired packages on the chroot to build a random package and checksum it. Actually I use the random ncdu to test. I need the same packages installed on the environment rigth? That are trivial to install desired packages on a chroot. Done.
I appreciate if someone can point me in the right way.
I think containers are not the way, too heavy.
I am on a rabbit hole?
Can chroot do same as a container from the point of view of making a reproducible build? Construct same environment, date, etc...
How many thinks are needed on the environment to make a reproducible build?
Reproducible builds are an idiotic idea. If you're rebuilding something, that's because you either want to do it machine-tailored, or you want to patch it. So there is nothing to reproduce.
If you're doing neither, don't rebuild, just use redhat.
You may be right and be a waste of time from the point of view you describe, Machine-Tailoring. In that case before Red Had I went to Gentoo.
From another point of view I see it useful at the time of providing packages. Being able to reproduce the same package with the same MD5 output gives more confidence. From the user point of view, if I reproduce it, I no longer need the package of a third party, that is like that. But from the point of view of a package provider, instead of a mirror, if another provider has the same package created with the same MD5 you are sure that nothing has been added.
I do not doubt about sources or packages of anyone. I see it simply as another point of verification. Task segmentation, controls ...
You really made me think about it.
I suppose the big ones need these verification points, but I do not think it is bad if the cost/effort - feature is good. Dunno.
But the main thing is that I am trying to learn things.
For now i think i need learn containers because chroot is not the way. mmm. But i am looking deeper.
I merely use chroot alone to build/test my SlackBuilds, though I don't aim for reproducability, I'd guess if you have the exact same packages in the chroot as in your main server/workstation, they presumably(?) have the same release dates, though I don't know if installation dates would be different or count, so you might be able to do reproducible ones... unsure but it sounds interesting. What the purpose of reproducability?
I merely use chroot alone to build/test my SlackBuilds, though I don't aim for reproducability, I'd guess if you have the exact same packages in the chroot as in your main server/workstation, they presumably(?) have the same release dates, though I don't know if installation dates would be different or count, so you might be able to do reproducible ones... unsure but it sounds interesting. What the purpose of reproducability?
From my knowledge I see reproducibility as a way for third parties to validate the construction of the package and the files that are created. And to be able to check files in a system that normally have no changes.
For example, if bash has a md5sum of xxxxxx1 and someone else can reproduce the same build, then we know that hash are ok. If for some reason that bash is changed by something, the md5 changes, if there is no reason for it, something strange will be happening.
Similar to how you can verify an exe or a dll in Windows, but with the difference that Windows builds it alone and you have to trust it and here with open sources anyone can build it but, if it is not reproducible the hash is different and also you have to trust.
a/ncdu-1.17-x86_64-1_SBo.1.tgz vs.
b/ncdu-1.17-x86_64-1_SBo.tgz
378 B
ncdu-1.17-x86_64-1_SBo.1.tgz-content vs.
ncdu-1.17-x86_64-1_SBo.tgz-content
308 B
usr/man/man1/ncdu.1.gz
264 B
filetype from file(1)
Offset 1, 1 lines modified Offset 1, 1 lines modified
1 gzip·compressed·data,·was·"ncdu.1",·last·modified:·Mon·Mar··4·19:08:43·2024,·max·compression,·from·Unix 1 gzip·compressed·data,·was·"ncdu.1",·last·modified:·Mon·Mar··4·19:08:42·2024,·max·compression,·from·Unix
Slackware makepkg are prepared with SOURCE_DATE_EPOCH
Code:
unset MTIME
if [ -n "${SOURCE_DATE_EPOCH}" ]; then
MTIME="--clamp-mtime --mtime=@${SOURCE_DATE_EPOCH}"
fi
but inside the slackBuild scripts some gzip man files don't.
I will try to modify Slackbuild gzip man files to see.
This source HugeSlackBuild script will create the ncdu Slackbuild files to build the ncdu package. You can list the md5 before and check before or after if you want.
The only change I made is on ncdu.Slackbuild gzip line
Code:
# Add -n option to gzip make reproducible when GZIP_NO_TIMESTAMPS is set
gzip -n -9 $PKG/usr/man/man?/*
On the name of the HugeSlackBuild file, the fist md5 is the md5 of the HugeSlackBuild the second is the md5 from the build ncdu SlackBuild package, in that case /tmp/ncdu-1.17-x86_64-1_SBo.tgz
From now i removed the environment file because I think this package build without.
Need check more packages to see deeper.
I would appreciate if someone could confirm that it is reproducible.
Thanks in advance.
EDITED: WARNING!! If you check on your primary system note that the date of the system will be changed. Update it after run the script or run on a virtual machine. Thanks.
1. From the officially released packages in the Slackware 15.0 or current tree. These packages have their md5sums stored in CHECKSUMS.md5, which is then signed by Patrick using his gpg key. I can verify this at my end with gpg, so long as I trust his process and that the gpg key is not compromised. To build each package just to prove I can reproduce the same hash seems like building the entire OS from scratch. If I wanted to do that, I'd run LFS to save time.
2. Build packages from scratch using the slackbuilds.org repo. These scripts are freely readable, editable, and the source is *usually* hosted on the source provider's servers. All you can do here is verify the source's md5sum is the same as the slackbuild's documented md5sum and trust upstreams source files. Nothing to reproduce here.
3. From AlienBob's repos, which are also gpg signed by him, and he has a solid reputation for quality software built for Slackware. See point 1.
If I have to build a package from source, I'm installing the package I just built and not some other guy's version of it. At what point is "reproducible builds" useful?
I guess you could re-build all of Slackware to reproduce it's md5sums, and then you can claim that you reproduced it all and officially verify it as a third party. That only goes as far as people trust you though.
1. From the officially released packages in the Slackware 15.0 or current tree. These packages have their md5sums stored in CHECKSUMS.md5, which is then signed by Patrick using his gpg key. I can verify this at my end with gpg, so long as I trust his process and that the gpg key is not compromised. To build each package just to prove I can reproduce the same hash seems like building the entire OS from scratch. If I wanted to do that, I'd run LFS to save time.
2. Build packages from scratch using the slackbuilds.org repo. These scripts are freely readable, editable, and the source is *usually* hosted on the source provider's servers. All you can do here is verify the source's md5sum is the same as the slackbuild's documented md5sum and trust upstreams source files. Nothing to reproduce here.
3. From AlienBob's repos, which are also gpg signed by him, and he has a solid reputation for quality software built for Slackware. See point 1.
If I have to build a package from source, I'm installing the package I just built and not some other guy's version of it. At what point is "reproducible builds" useful?
I guess you could re-build all of Slackware to reproduce it's md5sums, and then you can claim that you reproduced it all and officially verify it as a third party. That only goes as far as people trust you though.
Just not seeing the point.
I hope that day does not arrive but if one day either due to poor intention for carelessness or by third parties, some package creator is compromised, it will be difficult to find a way to compare with another unreproducible packages that has happened.
As my English is not very good, I quote others to explain it better.
The motivation behind the Reproducible Builds project is therefore to allow verification that no vulnerabilities or backdoors have been introduced during this compilation process. By promising identical results are always generated from a given source, this allows multiple third parties to come to a consensus on a “correct” result, highlighting any deviations as suspect and worthy of scrutiny.
This ability to notice if a developer or build system has been compromised then prevents such threats or attacks occurring in the first place, as any compromise can be quickly detected. As a result, front-liners cannot be threatened/coerced into exploiting or exposing their colleagues.
I am comfortable for now with Slackware and I trust Patrick and Slackbuilds scripts, not in packages for third parties for now. If I need a package I can compile. I came to Slackware from Arch because systemd. I was a pleasant surprise to find a distribution that believes in doing things from simple ncurses helper scripts, with software that hasn't been modified from upstream development, etc.
So in that days, malware found in Arch Linux AUR Package Repository, malicious Python packages exposed in latest repository attack, etc. I only want to contribute with something that serve as something to be prepared in case these days comes. Some others distributions are working on it.
I have no server to accommodate such a number of packages nor is it my intention to replicate everything, maybe some packages for me that can be housed in Github due to size limits. If they serve someone that are welcome, if not, I have learned something doing this garbage.
So have u noticed that Slackware makepkg have SOURCE_DATE_EPOCH ?
This is not a competition is a way of collaborating to find things that have changed in a compromised system and they should not have changed.
From my comfort I do not need to replicate anything because I trust Slackware Slackbuilds and my skills, but I have always been curious and I like to help.
But maybe this is not the way.
The important thing is, if someone can replicate the package. I guess if it works in Live Slackware will work in others.
Edited: This is not for users is for package providers. I can also sign them but this signed packages don not mean that are not compromised.
We can debate forever whether any arbitrary mystery is worth the effort to untangle. All power to the OP who was intrigued enough by something to follow through and figure it out.
chris
Last edited by chris.willing; 03-05-2024 at 09:08 PM.
Thanks for taking the time to explain. I can see how that may be useful in a more complex packaging ecosystem where one or more trusted third parties are used to distribute/verify software packages.
I am fine using Slackware with its current package signing model as I mentioned earlier, but perhaps others may find uses from your project and posting these ideas here. It's certainly interesting that you can reproduce a build in such a way. I was just trying to learn why that's a thing people want in the first place.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.