Questions about Tor reproducibility
Hello friends, Another project with which I and Aspiration do a lot of work is Reproducible Builds (https://reproducible-builds.org/) We are doing some communications and "amplification" on the Reproducible Builds team, and I'm wondering who in Tor has reproducibility on their plate, and might be good to talk to about Tor thinking on reproducibility? We are trying to identify things we might visualize as well as how you are thinking about RB these days? Thanks in advance... peace, gunner -- Allen Gunn Executive Director, Aspiration www.aspirationtech.org Aspiration: "Better Tools for a Better World" Read our Manifesto: https://aspirationtech.org/publications/manifesto Twitter: www.twitter.com/aspirationtech
On 11/22/21 1:24 AM, Allen Gunn wrote:
Hello friends,
Another project with which I and Aspiration do a lot of work is Reproducible Builds (https://reproducible-builds.org/)
We are doing some communications and "amplification" on the Reproducible Builds team, and I'm wondering who in Tor has reproducibility on their plate, and might be good to talk to about Tor thinking on reproducibility? You might want to go and talk to the Tor Browser devs, they build TB in a reproducible way with tor-browser-build [1]. For (little-t) tor there has been some work to make reproducible tarballs recently [2] We are trying to identify things we might visualize as well as how you are thinking about RB these days?
Thanks in advance...
peace, gunner
[1] https://gitlab.torproject.org/tpo/applications/tor-browser-build [2] https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/473 -- Encryption In Space!
Hi Gunner! On Sun, 21 Nov 2021, Allen Gunn wrote:
Hello friends,
Another project with which I and Aspiration do a lot of work is Reproducible Builds (https://reproducible-builds.org/)
We are doing some communications and "amplification" on the Reproducible Builds team, and I'm wondering who in Tor has reproducibility on their plate, and might be good to talk to about Tor thinking on reproducibility?
We are trying to identify things we might visualize as well as how you are thinking about RB these days?
We are still doing reproducible builds: for each Tor Browser release we have two people from the team building and comparing the results of the builds (and investigating and fixing the issue if it's not matching). And this page has instructions for people who want to reproduce our builds: https://gitlab.torproject.org/tpo/applications/tor-browser/-/wikis/Hacking/H... However checking that builds have been reproduced is still a manual process. I think the next step would be to have more people building Tor Browser, with some system to publish the results, and then having the Tor Browser updater check before applying an update that it has been built by multiple trusted builders. However since we are a small team and already busy with many other things, this is not very high priority at the moment. Nicolas
Allen Gunn:
Another project with which I and Aspiration do a lot of work is Reproducible Builds (https://reproducible-builds.org/)
We are doing some communications and "amplification" on the Reproducible Builds team, and I'm wondering who in Tor has reproducibility on their plate, and might be good to talk to about Tor thinking on reproducibility?
You might find my Tor Demo Day presentation on doing RBM builds on Cirrus CI to be interesting. I think Tor intended to post a video of the talk, but I'm not sure if that ever happened. A subsequent blogpost I wrote on the subject (whose content overlaps somewhat with my talk) is available here: https://www.namecoin.org/2021/06/09/rbm-on-cirrus-ci.html Cheers, -- -Jeremy Rand Lead Application Engineer at Namecoin Mobile email: jeremyrandmobile@airmail.cc Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C Send non-security-critical things to my Mobile with OpenPGP. Please don't send me unencrypted messages. My business email jeremy@veclabs.net is having technical issues at the moment.
On 2021-11-21 17:24:35, Allen Gunn wrote:
Hello friends,
Another project with which I and Aspiration do a lot of work is Reproducible Builds (https://reproducible-builds.org/)
We are doing some communications and "amplification" on the Reproducible Builds team, and I'm wondering who in Tor has reproducibility on their plate, and might be good to talk to about Tor thinking on reproducibility?
We are trying to identify things we might visualize as well as how you are thinking about RB these days?
According to Debian, Tor (little t) is reproducible too: https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/tor.html (Hi gunner :) a. -- Antoine Beaupré torproject.org system administration
Hey Gunner! Besides what boklm said; there have been some proposals for including browser update hashes in the consensus for additional trust, as a form of Binary Transparency type thing. https://gitweb.torproject.org/torspec.git/tree/proposals/227-vote-on-package... Firefox as built by Mozilla is also reproducible, but the scale between Tor Browser and Firefox is quite large so it's a very different kind of 'reproducible'. -tom On Mon, 22 Nov 2021 at 01:38, Allen Gunn <gunner@aspirationtech.org> wrote:
Hello friends,
Another project with which I and Aspiration do a lot of work is Reproducible Builds (https://reproducible-builds.org/)
We are doing some communications and "amplification" on the Reproducible Builds team, and I'm wondering who in Tor has reproducibility on their plate, and might be good to talk to about Tor thinking on reproducibility?
We are trying to identify things we might visualize as well as how you are thinking about RB these days?
Thanks in advance...
peace, gunner
--
Allen Gunn Executive Director, Aspiration www.aspirationtech.org
Aspiration: "Better Tools for a Better World"
Read our Manifesto: https://aspirationtech.org/publications/manifesto
Twitter: www.twitter.com/aspirationtech
_______________________________________________ tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
participants (6)
-
Allen Gunn -
Antoine Beaupré -
HackerNCoder -
Jeremy Rand -
Nicolas Vigier -
Tom Ritter