[tbb-dev] Reproducible Builds Summit

Matthew Finkel matthew.finkel at gmail.com
Mon Dec 17 18:49:36 UTC 2018

On Mon, Dec 17, 2018 at 06:25:48PM +0100, Nicolas Vigier wrote:
> Hello,
> I was at the reproducible builds summit last week. During the meeting
> there were discussions about various topics related to reproducible
> builds:
>  - reproducible builds for various languages, filesystems and distributions
>  - bootstrapping
>  - rebuilders and user verification
>  - software transparency
> I think the two most interesting discussions for me were about rebuilders
> and user verification, and software transparency.

Interesting, thanks!

> = Software Distribution Transparency and Auditability =
> Benjamin Hof is working on tools for Software Distribution Transparency
> and Auditability:
> https://arxiv.org/abs/1711.07278
> https://debconf18.debconf.org/talks/104-software-transparency-package-security-beyond-signatures-and-reproducible-builds/
> He has implemented some prototypes to improve software distribution
> transparency in Debian, using a public log server which can be used to
> monitor the packages which have been distributed to users. I discussed
> with him how something similar could be done in Tor Browser.
> Here is how it could work:
> - we add a log server which can be used to cryptographically prove:
>    * inclusion of an update in the log
>    * append-only operation of the log
> - when we release a new Tor Browser version, we add checksums of the
>   new mar files to the log.
> - when the Tor Browser updater receives a new update, it checks if the
>   update is in the log, before applying it. If the update is not in the
>   log, then the update is not applied.
> - independant monitors analyse the logs. They check that all checksums
>   published in the log correspond to a known release. They can also check
>   that the build corresponding to those checksums is reproducible. The
>   log is public, so anybody can monitor it.
> The main improvement from this system is that it allows anyone to check
> that all the updates used by all users are reproductible builds, while
> today you can only verify that for one downloaded copy of the software.

This seems like it has the same goal as Mozilla's Binary Transparency
log: https://wiki.mozilla.org/Security/Binary_Transparency

I'm not sure if Mozilla are actively working on this, but based on the
two bug on that page, it seems like it isn't a priority right now:

More information about the tbb-dev mailing list