Feature #14455
Reproducible Builds Stage 2
0%
Description
There has been a lot of progress to achieve reproducible builds of the Tails ISO image (Feature #5630). But to effectively protect against infrastructure or developer compromise, it should also be possible to verify that the packages downloaded from our repositories are not modified. This affects two repositories:
1. The custom APT repository we host to provide our custom Debian packages.
2. The snapshots of the Debian repositories we host to fetch Debian packages during build.
(We host a third repository , but it effects only development builds, so it is not relevant for releases, which is what we care about in this effort.)
Those packages could be maliciously modified by Administrators / compromised infrastructure, and there is currently no process to verify that these packages are not modified.
We want to solve this issue in the “second stage” of our effort to provide reproducible builds.
One question shall be answered first though: assuming we solve the issues described above, what are the remaining ones? IOW, will this substantially raise the bar for an adversary?
Subtasks
Related issues
Related to Tails - Feature #6220: Automated Debian package build infrastructure | Confirmed | 2013-08-07 |
History
#1 Updated by BitingBird 2017-08-28 21:06:02
- Assignee set to intrigeri
- Target version changed from 2018 to 2019
team: segfault, lamby, intrigeri (tech team lead, consultant, management)
#2 Updated by intrigeri 2017-08-30 10:49:11
- Description updated
- Assignee changed from intrigeri to segfault
#3 Updated by lamby 2017-08-30 14:03:52
Hey segfault!
Have we met? :) If not, hope to do so soon…
> One question shall be answered first though: assuming we solve the issues described above, what are the remaining ones? IOW, will this substantially raise the bar for an adversary?
Could you elaborate more on what you mean by “second stage”? I mean, things like ensuring the source code was not modified is obviously important (!) but not under the heading of “reproducible builds” (which deliberately assumes that the source is Totally Safe).
Perhaps this is stuff around distributing the SHA?
#4 Updated by segfault 2017-08-30 19:27:25
Hey lamby! I don’t think we met yet, but I’m looking forward to it :)
> Could you elaborate more on what you mean by “second stage”? I mean, things like ensuring the source code was not modified is obviously important (!) but not under the heading of “reproducible builds” (which deliberately assumes that the source is Totally Safe).
These issues were raised by intrigeri, and I only tried to summarize them, but if I understand correctly, the problem we want to tackle here is not that the source code might be manipulated, but that there is no way to verify that the packages downloaded from our repositories during the build process are:
- reproducibly built (in case of the custom APT repository with our own packages),
or - are identical to the packages distributed by Debian (in case of our snapshots of the Debian repositories).
Also note that I have little knowledge of Debian packages and APT internals (which is one of the reasons we want you on board for this, I think).
#5 Updated by lamby 2017-08-31 08:58:12
> no way to verify that the packages downloaded from our repositories during the build process are reproducibly built
That’s true. This is currently not really possible in Debian alas, although do see:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872514
> are identical to the packages distributed by Debian
AIUI that should be possible right now, or at least all the “parts” are there?
#6 Updated by intrigeri 2017-10-03 06:28:14
- related to Feature #6220: Automated Debian package build infrastructure added
#7 Updated by Anonymous 2017-11-01 15:18:59
- Description updated
#8 Updated by intrigeri 2018-10-11 09:30:28
- blocked by #15903 added
#9 Updated by intrigeri 2018-10-11 09:30:47
- Assignee deleted (
segfault) - Target version changed from 2019 to 2020