Law of Reproducibility

Wed Jun 9 07:21:09 PDT 2021

grarpamp cited this important law recently while trying to talk about some
important things with me that I still don't quite understand

Here's an update on reproducibility!

TLDR: bsd is still more secure than linux but debian has a tool to verify
before install, tails says it is fully reproducible, and of course guix
takes it seriously.  tor made a project-independent reproducibility
manager.  coreboot is reproducible.

   - Arch Linux is 88.1% reproducible with 1360 bad 37 unknown and
   10375 good packages.

https://reproducible.archlinux.org/

Debian 29629 (95.7%) packages which built reproducibly in bullseye/amd64
https://tests.reproducible-builds.org/debian/bullseye/amd64/index_reproducible.html
(debian unstable is more 85%)
=> on debian, in-toto can be used to verify reproducibility before
installation https://github.com/in-toto/apt-transport-in-toto

ElectroBSD itself (kernel + world), the distribution tarballs (base.txz,
kernel.txz, lib32.txz, src.txz) and thus the MANIFEST can be built
reproducible on all the supported architectures (a fancy way to refer to
amd64 and i386).  There's work in progress to make the release image
reproducible as well.
https://www.fabiankeil.de/gehacktes/electrobsd/#reproducible-electrobsd

F-droid enumerates its reproducibility but does not appear to quickly
summarise it on the web: https://verification.f-droid.org/

Most of FreeBSD builds "reproducibly" (aka. with two builds producing
identical binaries) but there are a few deviations from this
https://wiki.freebsd.org/ReproducibleBuilds/Base

The guix distribution is founded on reproducibility (but not security).  I
didn't find their current status on the web, but if using guix there is a
command-line tool to display it.  https://guix.gnu.org/
https://hydra.gnu.org/

NetBSD 2017-02-20 we have fully reproducible builds on amd64 and sparc64
https://blog.netbsd.org/tnf/entry/netbsd_fully_reproducible_builds

NixOS (this is the same as guix right?)  99.83% paths in the minimal
installation image are reproducible
https://r13y.com/

OpenSUSE 95.34% reproducible packages
https://rb.zq1.de/compare.factory/report.txt
Building reproducible binaries takes configuration
https://en.opensuse.org/openSUSE:Reproducible_Builds#With_OBS

OpenWRT For x86/generic we could built 1 (100.0%) out of 1 images and 9217
(98.1%) out of 9390 packages reproducibly in our test setup.
https://tests.reproducible-builds.org/openwrt/openwrt_x86.html

Qubes hasn't reported in a couple years.  In 2019 it was expected that dom0
would have all reproducible packages for 4.1
https://github.com/QubesOS/qubes-issues/issues/816#issuecomment-519912024

Tails ISO and USB images should be reproducible: everybody who builds one
of them should be able to obtain the exact same resulting image from a
given Git tag.
https://tails.boum.org/contribute/build/reproducible/

Yocto 99.79% 34095 packages in openembedded-core
https://www.yoctoproject.org/reproducible-build-results/

The following individual projects set up infrastructure for fully
reproducible builds:
- Bitcoin
https://github.com/bitcoin-core/docs/blob/master/gitian-building.md
- BitShares https://github.com/bitshares/bitshares-gitian
- Coreboot, crucially
https://tests.reproducible-builds.org/coreboot/coreboot.html
- Monero
https://github.com/monero-project/monero/issues/2641#issuecomment-501197384
- Trevor
https://wiki.trezor.io/Developers_guide:Deterministic_firmware_build
- Tor Browser's general purpose reproducible build manager
https://rbm.torproject.org/
- webconverger's link is to a video, so is not included

Data collected from links on https://reproducible-builds.org/projects/ .
The page does not look recently updated everywhere, and some listed
projects had no links, and I did not visit those projects without links.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 13143 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20210609/d4950118/attachment.txt>