[tor-bugs] #28102 [Applications/Tor Browser]: Make sure we pick the exact same compile environment for Tor Browser builds
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Oct 18 10:37:03 UTC 2018
#28102: Make sure we pick the exact same compile environment for Tor Browser builds
-------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-rbm, TorBrowserTeam201810 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------+--------------------------
Comment (by boklm):
I can think about the following ways to fix that:
- specify exactly the versions of the packages we need, when we know that
this package can cause reproducibility issues. For example we could make
the firefox build on macOS require `gcc-49=4.9.2-10+deb8u1`. The problem
is that any package update could cause such issue, and it can take time
until we notice it. With complex package such as gcc, with many
dependencies, the list of packages for which we need to specify the
version might be long.
- add a container image version number. We can then increase this number
when we need to invalidate old containers after we found that an update is
causing a reproducibility issue. Like the first option, this means that we
only fix the issues after finding them, and the previous releases can
become unreproducible.
- use snapshots.debian.org to only install package updates that were
available on a specific date. I think the main problem would be that
changing the selected date would cause everything to be rebuilt, but that
might be ok if we don't do it too often.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28102#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list