On Mon, Dec 17, 2018 at 06:25:48PM +0100, Nicolas Vigier wrote:
Hello,
I was at the reproducible builds summit last week. During the meeting there were discussions about various topics related to reproducible builds:
- reproducible builds for various languages, filesystems and distributions
- bootstrapping
- rebuilders and user verification
- software transparency
I think the two most interesting discussions for me were about rebuilders and user verification, and software transparency.
Interesting, thanks!
= Software Distribution Transparency and Auditability =
Benjamin Hof is working on tools for Software Distribution Transparency and Auditability: https://arxiv.org/abs/1711.07278 https://debconf18.debconf.org/talks/104-software-transparency-package-securi...
He has implemented some prototypes to improve software distribution transparency in Debian, using a public log server which can be used to monitor the packages which have been distributed to users. I discussed with him how something similar could be done in Tor Browser.
Here is how it could work:
- we add a log server which can be used to cryptographically prove:
- inclusion of an update in the log
- append-only operation of the log
- when we release a new Tor Browser version, we add checksums of the new mar files to the log.
- when the Tor Browser updater receives a new update, it checks if the update is in the log, before applying it. If the update is not in the log, then the update is not applied.
- independant monitors analyse the logs. They check that all checksums published in the log correspond to a known release. They can also check that the build corresponding to those checksums is reproducible. The log is public, so anybody can monitor it.
The main improvement from this system is that it allows anyone to check that all the updates used by all users are reproductible builds, while today you can only verify that for one downloaded copy of the software.
This seems like it has the same goal as Mozilla's Binary Transparency log: https://wiki.mozilla.org/Security/Binary_Transparency
I'm not sure if Mozilla are actively working on this, but based on the two bug on that page, it seems like it isn't a priority right now: https://bugzilla.mozilla.org/show_bug.cgi?id=1341397 https://bugzilla.mozilla.org/show_bug.cgi?id=1341398