[tor-bugs] #31691 [Applications/Tor Browser]: Go ldflags should set static build ID

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Nov 16 05:57:18 UTC 2019


#31691: Go ldflags should set static build ID
--------------------------------------+--------------------------
 Reporter:  JeremyRand                |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-rbm                   |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by JeremyRand):

 > Interesting. I wonder why we have not hit that issue yet.

 I'm not 100% sure why Tor hasn't had problems with it; I can confirm that
 Namecoin is definitely having problems with it when using Tor's rbm
 projects; see https://github.com/namecoin/ncdns-repro/issues/57 .  I can
 think of 2 plausible explanations for this:

 1. Namecoin exercises cgo-related code paths in more interesting ways than
 Tor does, so maybe the build ID happens to be reproducible in Tor's setup
 when not using cgo in the ways that Namecoin does.
 2. Namecoin uses `go install` to build the final binaries, whereas Tor
 uses `go install` only to build libraries and `go build` to build the
 final binaries, so maybe the build ID happens to be reproducible in Tor's
 setup when using `go build`, and possibly either the build ID isn't
 embedded into libraries at all, or no one has checked the libraries for
 reproducibility issues since the final executable output is still
 reproducible.

 That said, the build ID is almost definitely nonreproducible even in Tor's
 usage when comparing rbm-built binaries to non-rbm-built binaries, because
 the build ID is partially dependent on the build path, which is consistent
 inside rbm but won't be consistent elsewhere.  So, fixing this is useful
 to make it easier to audit the reproducibility of Tor's binaries via build
 platforms other than rbm (in addition to the fact that it seems to be
 needed for downstream projects like Namecoin to be reproducible at all,
 for some reason).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31691#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list