grarpamp cited this important law recently while trying to talk about some important things with me that I still don't quite understand Here's an update on reproducibility! TLDR: bsd is still more secure than linux but debian has a tool to verify before install, tails says it is fully reproducible, and of course guix takes it seriously. tor made a project-independent reproducibility manager. coreboot is reproducible. - Arch Linux is 88.1% reproducible with 1360 bad 37 unknown and 10375 good packages. https://reproducible.archlinux.org/ Debian 29629 (95.7%) packages which built reproducibly in bullseye/amd64 https://tests.reproducible-builds.org/debian/bullseye/amd64/index_reproducib... (debian unstable is more 85%) => on debian, in-toto can be used to verify reproducibility before installation https://github.com/in-toto/apt-transport-in-toto ElectroBSD itself (kernel + world), the distribution tarballs (base.txz, kernel.txz, lib32.txz, src.txz) and thus the MANIFEST can be built reproducible on all the supported architectures (a fancy way to refer to amd64 and i386). There's work in progress to make the release image reproducible as well. https://www.fabiankeil.de/gehacktes/electrobsd/#reproducible-electrobsd F-droid enumerates its reproducibility but does not appear to quickly summarise it on the web: https://verification.f-droid.org/ Most of FreeBSD builds "reproducibly" (aka. with two builds producing identical binaries) but there are a few deviations from this https://wiki.freebsd.org/ReproducibleBuilds/Base The guix distribution is founded on reproducibility (but not security). I didn't find their current status on the web, but if using guix there is a command-line tool to display it. https://guix.gnu.org/ https://hydra.gnu.org/ NetBSD 2017-02-20 we have fully reproducible builds on amd64 and sparc64 https://blog.netbsd.org/tnf/entry/netbsd_fully_reproducible_builds NixOS (this is the same as guix right?) 99.83% paths in the minimal installation image are reproducible https://r13y.com/ OpenSUSE 95.34% reproducible packages https://rb.zq1.de/compare.factory/report.txt Building reproducible binaries takes configuration https://en.opensuse.org/openSUSE:Reproducible_Builds#With_OBS OpenWRT For x86/generic we could built 1 (100.0%) out of 1 images and 9217 (98.1%) out of 9390 packages reproducibly in our test setup. https://tests.reproducible-builds.org/openwrt/openwrt_x86.html Qubes hasn't reported in a couple years. In 2019 it was expected that dom0 would have all reproducible packages for 4.1 https://github.com/QubesOS/qubes-issues/issues/816#issuecomment-519912024 Tails ISO and USB images should be reproducible: everybody who builds one of them should be able to obtain the exact same resulting image from a given Git tag. https://tails.boum.org/contribute/build/reproducible/ Yocto 99.79% 34095 packages in openembedded-core https://www.yoctoproject.org/reproducible-build-results/ The following individual projects set up infrastructure for fully reproducible builds: - Bitcoin https://github.com/bitcoin-core/docs/blob/master/gitian-building.md - BitShares https://github.com/bitshares/bitshares-gitian - Coreboot, crucially https://tests.reproducible-builds.org/coreboot/coreboot.html - Monero https://github.com/monero-project/monero/issues/2641#issuecomment-501197384 - Trevor https://wiki.trezor.io/Developers_guide:Deterministic_firmware_build - Tor Browser's general purpose reproducible build manager https://rbm.torproject.org/ - webconverger's link is to a video, so is not included Data collected from links on https://reproducible-builds.org/projects/ . The page does not look recently updated everywhere, and some listed projects had no links, and I did not visit those projects without links.
The reproducibility of OpenWRT for other architectures can be seen at https://tests.reproducible-builds.org/openwrt/openwrt.html . I expect the results are comparable to x86, but have not looked.
A note to the side, last I looked at tails they still had the standard policy of not revealing security vulnerabilities until a release could be made. We've since learned that security vulnerabilities are the primary way of deanonymising people, so hopefully they have a policy of distributing immediate security updates now like most distributions do, but I worry they still might not.
On Wed, Jun 9, 2021, 12:42 PM Punk-BatSoup-Stasi 2.0 <punks@tfwno.gf> wrote:
On Wed, 9 Jun 2021 10:46:06 -0400 Karl <gmkarl@gmail.com> wrote:
A note to the side, last I looked at tails they still had the standard policy of not revealing security vulnerabilities
tails must be blacklisted like any other kind of garbage coming from the pentagon.
I popped in to the website and was impressed by the crucial work put into making their distribution accessible. I stopped using tails because I wanted faster security updates back then, but I didn't even make a feature request about it.
participants (2)
-
Karl
-
Punk-BatSoup-Stasi 2.0