I had the opportunity to participate on an Athen’s Hackerspace event with a dozen debian developers about the issue with reproducible distribution’s package builds.
I had never thought of this thing before and the presentation blown me away !
So here is the deal, if you download the latest openssl package from an archlinux mirror (want archlinux users will going to do):
# pacman -Sw openssl
What if we tried to build openssl by our selfs from the PKGBUILD file ?
# cd /var/abs/core/openssl
$ makepkg -cf
==> Making package: openssl 1.0.2.e-1 (Sun Dec 6 13:07:08 EET 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Found openssl-1.0.2e.tar.gz
-> Found openssl-1.0.2e.tar.gz.asc
-> Found no-rpath.patch
-> Found ca-dir.patch
==> Validating source files with md5sums...
openssl-1.0.2e.tar.gz ... Passed
openssl-1.0.2e.tar.gz.asc ... Skipped
no-rpath.patch ... Passed
ca-dir.patch ... Passed
==> Verifying source file signatures with gpg...
openssl-1.0.2e.tar.gz ... Passed
==> Extracting sources...
-> Extracting openssl-1.0.2e.tar.gz with bsdtar
==> Starting prepare()...
...
...
...
==> Leaving fakeroot environment.
==> Finished making: openssl 1.0.2.e-1 (Sun Dec 6 13:11:06 EET 2015)
==> Cleaning up...
Let’s check the md5sum:
# md5sum /var/cache/pacman/pkg/openssl-1.0.2.e-1-x86_64.pkg.tar.xz
/var/abs/core/openssl/openssl-1.0.2.e-1-x86_64.pkg.tar.xz
b555ac4294a2f39ef0caa19e21a28355 /var/cache/pacman/pkg/openssl-1.0.2.e-1-x86_64.pkg.tar.xz
08755bad654f74b8a1c4c5386934aeea /var/abs/core/openssl/openssl-1.0.2.e-1-x86_64.pkg.tar.xz
wat ???
why isnt both files similar exactly the same ?
Let’s find out what are the differences between these two files by using diffoscope
diffoscope --html /tmp/openssl.html
/var/cache/pacman/pkg/openssl-1.0.2.e-1-x86_64.pkg.tar.xz
/var/abs/core/openssl/openssl-1.0.2.e-1-x86_64.pkg.tar.xz
fire up an html browser and open /tmp/openssl.html
Read carefully the output, most of them are timestamps.
So what this fuzz is all about ?
There is a huge problem actually, we trust our distributions for privacy and security.
But what if governments have already compromised ftp mirrors or by MITM we have already installed a backdoor software?
That’s what core developers from major distributions are fighting as we speak, they are trying to engage more core developers and find a way to redistribute reproducible builds so that you can actually verify a package build on your PC.
Need to know more?
Click here: reproducible-builds
Can you help ?
take a look on diffoscope