Reproducible builds

Reading stuff around xz backdoor saga, i came to realization that to prevent some of that stuff there were such initiatives a long time ago, which has worked to verify binaries are corresponding to source code.

What i didn’t realize before, that there are already successful whole OS packages reproducible builds and preparations for verification tools for normal users.

Arch Linux state:
https://tests.reproducible-builds.org/archlinux/archlinux.html
https://reproducible.archlinux.org/

Other projects:
https://reproducible-builds.org/who/projects/

Reproducible builds guarantee that the package maintainer did not inject his own malware into the package when building it. This is the least concern, because Arch TUs are, by definition, trusted users. You and I, and everyone here, obviously trusts them unconditionally, otherwise we wouldn’t be using Arch. They have the power to screw us, and if they decide to do so, we are screwed. No question about that.

Anyone who doubts them and continues to use their packages is clearly in contradiction and should immediately stop, and probably use Gentoo.

Consequently, they only get one change, if malware is found in Arch repos and it is proven to be deliberately injected there by some TU, the only rational thing is to stop using Arch.

The problem with malware in FOSS is clearly not enough code review, reproducible builds won’t fix that.

Reproducible builds would be nice for binary distributed AUR packages, though, for stuff that takes hours to build, like LibreWolf. For such big packages, however, reproducibility is just a dream.

Well thx buddy, yes i’m schizo because i do NOT trust anyone, but not quite ready to use Gentoo just yet

Every distro TU have missed xz, and just some M$ dev benchmark autist accidentally catched it…yeah
There’s no such thing as trusted, in my view.
Anyone can be a malicious actor, even if it’s very long time persistent to gain trust…and nobody in universe can really audit all the source code on it’s own, be it Gentoo user or super-h4xXx0r…

Not really, if you look at packages stats of Arch above…if Chromium is reproducible, there’s no reason Firefox / LibreWolf wouldn’t in the near future.

Reproducible build wouldn’t make xz any easier to find. It would be reproducible with malware.

There is no way to rationally justify holding those two positions at the same time.

Actually it would, because it was possible due to modified tarball on github, which would be catched by mismatch.

As far as I understand, the malware injection was part of the automated build scripts, in some unit tests that are run automatically after build.

Therefore, it would not be detected. You’d build the tarball, I’d build the tarball, and we’d have the exact same tarball. With malware.

That’s why one should build from git in order to compare…not some…Micro$oft GitHub hosted BALLS!

This is an example of what I was looking for. I can finally see any build log of keepassxc.

But where is checksum of the keepassxc’s binary at the end of the build log result?

Yes there is, have you seen the source code for Firefox?

This tool might be of help

Work in progress. Please read the code before using.