[tor-bugs] #3688 [Tor bundles/installation]: Deterministic builds for Linux and Mac OS
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Aug 5 00:56:08 UTC 2011
#3688: Deterministic builds for Linux and Mac OS
--------------------------------------+-------------------------------------
Reporter: mikeperry | Owner: erinn
Type: enhancement | Status: new
Priority: major | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
To ensure integrity against build machine compromise, we should be able to
produce identical binaries on two different identically configured
machines and verify that hash is the same for each. Right now, this is not
possible, primarily because of two things:
1. gcc uses entropy for symbol mangling
2. The linker inserts timestamps into libraries, especially static ones.
Issue 1 can be solved by giving gcc a specific seed in our makefiles
(-frandom-seed=string). If we have no collisions, we can get away with
giving the same seed to every gcc invocation.
Issue 2 can be solved for static libraries by passing the -D option to
'ar'. It is unclear if shared libraries can be produced in this way, or if
this option is not needed for shared libraries.
On Windows, the problem remains entirely unsolved:
http://stackoverflow.com/questions/1180852/deterministic-builds-under-
windows
However, if we can do this for Linux and Mac OS using the same build
flags, that would still be worth it.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3688>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list