[tor-bugs] #21032 [Applications/Tor Browser]: Creating some public database of "reproduced builds"
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Dec 19 14:44:54 UTC 2016
#21032: Creating some public database of "reproduced builds"
------------------------------------------+----------------------
Reporter: boklm | Owner: tbb-team
Type: task | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
The process of checking that our builds have been reproduced by multiple
people is currently mostly manual. In order to make this process easier,
more automated (to be able to use it in the updater or some launcher) and
possible to use at a larger scale (checking that some large number of
people reproduced a build), we could have some tool indexing the builds
created by various people.
This could be done by adding the generation of some `buildinfo` files
(similar to the Debian's buildinfo files) to our build process, containing
important informations about the build, such as its inputs and outputs,
and indexing them with their signatures in some database.
This database would contain the following types of builds or operations,
signed by various builders:
- the build of a bundle from a git tag
- the creation of a signed mar file, from an unsigned mar (or the reverse
operation)
- the creation of an OSX code-signed mar file, from an unsigned mar (or
the reverse operation)
- the creation of an incremental mar file, from two full mar files
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21032>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list